Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nwVe0gplCc.exe

Overview

General Information

Sample name:nwVe0gplCc.exe
renamed because original name is a hash value
Original sample name:0339f68638bc40495d8b049bc8def331.bin.exe
Analysis ID:1430646
MD5:0339f68638bc40495d8b049bc8def331
SHA1:bacce3177bee1879b70f494670c2ea353135ccc8
SHA256:3677070874e81e997c23f5a5a6279d60ef0e73617f9a2fdf4622c06f1958ee02
Tags:exeprg
Infos:

Detection

Zues
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Zues
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • nwVe0gplCc.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\nwVe0gplCc.exe" MD5: 0339F68638BC40495D8B049BC8DEF331)
    • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ZuesYara detected ZuesJoe Security
    Process Memory Space: nwVe0gplCc.exe PID: 1360JoeSecurity_ZuesYara detected ZuesJoe Security

      Sigma Signatures

      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: winlogon.exe, CommandLine: winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: "C:\Users\user\Desktop\nwVe0gplCc.exe", ParentImage: C:\Users\user\Desktop\nwVe0gplCc.exe, ParentProcessId: 1360, ParentProcessName: nwVe0gplCc.exe, ProcessCommandLine: winlogon.exe, ProcessId: 564, ProcessName: winlogon.exe

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: nwVe0gplCc.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Windows\SysWOW64\ntos.exeAvira: detection malicious, Label: TR/Spy.Agent.42498
      Multi AV Scanner detection for submitted file
      Source: nwVe0gplCc.exeReversingLabs: Detection: 94%
      Machine Learning detection for dropped file
      Source: C:\Windows\SysWOW64\ntos.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: nwVe0gplCc.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041C00B CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_0041C00B
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00409D19 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00409D19
      Source: nwVe0gplCc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041C0C3 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0041C0C3
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041DCCB lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject,0_2_0041DCCB
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00406C9E ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406C9E
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041D959 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject,0_2_0041D959
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00409DD1 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00409DD1
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040B9D9 lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject,0_2_0040B9D9
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040B667 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject,0_2_0040B667
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00415EDE PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00415EDE
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00403BEC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00403BEC
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00418F90 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00418F90
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00417C33 HttpQueryInfoA,CreateFileW,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle,0_2_00417C33
      Source: nwVe0gplCc.exe, 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/

      E-Banking Fraud

      barindex
      Yara detected Zues
      Source: Yara matchFile source: 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: nwVe0gplCc.exe PID: 1360, type: MEMORYSTR
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041CD7B OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CreateProcessAsUserW,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,0_2_0041CD7B
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeFile created: C:\Windows\SysWOW64\ntos.exeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeFile created: C:\Windows\SysWOW64\ntos.exe:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041B54B0_2_0041B54B
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_004092590_2_00409259
      Source: nwVe0gplCc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: nwVe0gplCc.exeStatic PE information: Section: .dwp ZLIB complexity 0.9919577205882353
      Source: ntos.exe.0.drStatic PE information: Section: .dwp ZLIB complexity 0.9919577205882353
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/0
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00415492 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_00415492
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_004031A0 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_004031A0
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040A517 GetCurrentProcessId,GetProcAddress,SetErrorMode,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,GetUserDefaultUILanguage,0_2_0040A517
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041C809 GetCurrentProcessId,GetProcAddress,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,GetUserDefaultUILanguage,0_2_0041C809
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040A8B2 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,CloseHandle,CloseHandle,0_2_0040A8B2
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_004180B0 CoCreateInstance,0_2_004180B0
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMutant created: \Sessions\1\BaseNamedObjects\__SYSTEM__91C38905__
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: nwVe0gplCc.exeReversingLabs: Detection: 94%
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeFile read: C:\Users\user\Desktop\nwVe0gplCc.exeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeSection loaded: ntmarta.dllJump to behavior
      Source: nwVe0gplCc.exeStatic file information: File size 4896768 > 1048576
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_004094EF LoadLibraryA,GetProcAddress,0_2_004094EF
      Source: initial sampleStatic PE information: section where entry point is pointing to: .pwz
      Source: nwVe0gplCc.exeStatic PE information: section name: .dwp
      Source: nwVe0gplCc.exeStatic PE information: section name: .ryf
      Source: nwVe0gplCc.exeStatic PE information: section name: .avozuj
      Source: nwVe0gplCc.exeStatic PE information: section name: .pwz
      Source: ntos.exe.0.drStatic PE information: section name: .dwp
      Source: ntos.exe.0.drStatic PE information: section name: .ryf
      Source: ntos.exe.0.drStatic PE information: section name: .avozuj
      Source: ntos.exe.0.drStatic PE information: section name: .pwz
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeFile created: C:\Windows\SysWOW64\ntos.exeJump to dropped file
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeFile created: C:\Windows\SysWOW64\ntos.exeJump to dropped file

      Boot Survival

      barindex
      Creates an undocumented autostart registry key
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00419474 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcmpiW,0_2_00419474
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeWindow / User API: threadDelayed 4756Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeDropped PE file which has not been started: C:\Windows\SysWOW64\ntos.exeJump to dropped file
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-9758
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-9703
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeAPI coverage: 6.2 %
      Source: C:\Users\user\Desktop\nwVe0gplCc.exe TID: 7032Thread sleep count: 4756 > 30Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exe TID: 7032Thread sleep time: -95120s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeThread sleep count: Count: 4756 delay: -20Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041C0C3 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0041C0C3
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041DCCB lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject,0_2_0041DCCB
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00406C9E ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406C9E
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041D959 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject,0_2_0041D959
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00409DD1 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00409DD1
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040B9D9 lstrcpyW,lstrcatW,FindFirstFileW,FindFirstFileW,FindClose,WaitForSingleObject,0_2_0040B9D9
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040B667 PathCombineW,FindClose,PathCombineW,Sleep,PathCombineW,FindFirstFileW,WaitForSingleObject,0_2_0040B667
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00415EDE PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00415EDE
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00403BEC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_00403BEC
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00418F90 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00418F90
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_004094EF LoadLibraryA,GetProcAddress,0_2_004094EF
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040A4E3 GetProcessHeap,0_2_0040A4E3
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 40F000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 411000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 413000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18230000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18230000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18231000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1823F000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18241000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18243000 protect: page read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18260000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18290000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 182C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 182F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18320000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18350000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18380000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 183B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 183E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18410000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18440000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18470000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 184A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 184D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18500000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18530000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18560000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18590000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 185C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 185F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18620000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18650000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18680000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 186B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 186E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18710000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18740000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18770000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 187A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 187D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18800000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18830000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18860000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18890000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 188C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 188F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18920000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18950000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18980000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 189B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 189E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18A10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18A40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18A70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18AA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18AD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18B00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18B30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18B60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18B90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18BC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18BF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18C20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18C50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18C80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18CB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18CE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18D10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18D40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18D70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18DA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18DD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18E00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18E30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18E60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18E90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18EC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18EF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18F20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18F50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18F80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18FB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 18FE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19010000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19040000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19070000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 190A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 190D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19100000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19130000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19160000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19190000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 191C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 191F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19220000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19250000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19280000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 192B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 192E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19310000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19340000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19370000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 193A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 193D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19400000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19430000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19460000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19490000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 194C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 194F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19520000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19550000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19580000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 195B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 195E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19610000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19640000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19670000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 196A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 196D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19700000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19730000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19760000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19790000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 197C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 197F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19820000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19850000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19880000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 198B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 198E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19910000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19940000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19970000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 199A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 199D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19A00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19A30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19A60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19A90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19AC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19AF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19B20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19B50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19B80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19BB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19BE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19C10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19C40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19C70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19CA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19CD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19D00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19D30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19D60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19D90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19DC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19DF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19E80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19EB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19EE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19F10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19F40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19F70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19FA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 19FD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A000000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A030000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A060000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A090000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A0C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A0F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A120000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A150000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A180000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A1B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A1E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A210000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A240000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A270000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A2A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A2D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A300000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A330000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A360000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A390000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A3C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A3F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A420000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A450000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A480000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A4B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A4E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A510000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A540000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A570000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A5A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A5D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A600000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A630000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A660000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A690000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A6C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A6F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A720000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A750000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A780000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A7B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A7E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A810000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A840000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A870000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A8A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A8D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A900000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A930000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A960000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A990000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A9C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1A9F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AA20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AA50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AA80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AAB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AAE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AB10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AB40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AB70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1ABA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1ABD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AC00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AC30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AC60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AC90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1ACC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1ACF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AD20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AD50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AD80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1ADB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1ADE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AE10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AE40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AE70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AEA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AED0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AF00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AF30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AF60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AF90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AFC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1AFF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B020000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B050000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B080000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B0B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B0E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B110000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B140000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B170000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B1A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B1D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B200000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B230000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B260000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B290000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B2C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B2F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B320000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B350000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B380000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B3B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B3E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B410000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B440000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B470000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B4A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B4D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B500000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B530000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B560000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B590000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B5C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B5F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B620000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B650000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B680000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B6B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B6E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B710000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B740000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B770000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B7A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B7D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B800000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B830000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B860000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B890000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B8C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B8F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B920000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B950000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B980000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B9B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1B9E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BA10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BA40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BA70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BAA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BAD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BB00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BB30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BB60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BB90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BBC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BBF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BC20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BC50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BC80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BCB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BCE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BD10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BD40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BD70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BDA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BDD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BE00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BE30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BE60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BE90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BEC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BEF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BF20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BF50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BF80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BFB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1BFE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C010000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C040000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C070000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C0A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C0D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C100000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C130000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C160000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C190000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C1C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C1F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C220000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C250000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C280000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C2B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C2E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C310000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C340000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C370000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C3A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C3D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C400000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C430000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C460000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C490000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C4C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C4F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C520000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C550000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C580000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C5B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C5E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C610000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C640000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C670000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C6A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C6D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C700000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C730000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C760000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C790000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C7C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C7F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C820000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C850000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C880000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C8B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C8E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C910000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C940000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C970000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C9A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1C9D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CA00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CA30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CA60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CA90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CAC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CAF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CB20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CB50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CB80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CBB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CBE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CC10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CC40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CC70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CCA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CCD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CD00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CD30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CD60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CD90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CDC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CDF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CE20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CE50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CE80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CEB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CEE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CF10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CF40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CF70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CFA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1CFD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D000000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D030000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D060000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D090000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D0C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D0F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D120000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D150000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D180000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D1B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D1E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D210000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D240000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D270000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D2A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D2D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D300000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D330000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D360000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D390000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D3C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D3F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D420000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D450000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D480000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D4B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D4E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D510000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D540000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D570000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D5A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D5D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D600000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D630000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D660000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D690000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D6C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D6F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D720000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D750000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D780000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D7B0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D7E0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D810000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D840000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D870000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D8A0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D8D0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D900000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D930000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D960000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D990000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D9C0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1D9F0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DA20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DA50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DA80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DAB0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DAE0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DB10000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DB40000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DB70000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DBA0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DBD0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DC00000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DC30000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DC60000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DC90000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DCC0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DCF0000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DD20000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DD50000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DD80000 protect: page no accessJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 1DDB0000 protect: page no accessJump to behavior
      Changes memory attributes in foreign processes to executable or writable
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonlyJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 40F000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 411000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 413000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 18230000 protect: page readonlyJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 18231000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 1823F000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 18241000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory protected: C:\Windows\System32\winlogon.exe base: 18243000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18230000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18260000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18290000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182C0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182F0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18320000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18350000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18380000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183B0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183E0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18410000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18440000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18470000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184A0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184D0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18500000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18530000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18560000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18590000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185C0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185F0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18620000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18650000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18680000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186B0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186E0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18710000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18740000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18770000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187A0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187D0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18800000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18830000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18860000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18890000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188C0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188F0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18920000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18950000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18980000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189B0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189E0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A10000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A40000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A70000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AA0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AD0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B00000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B30000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B60000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B90000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BC0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BF0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C20000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C50000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C80000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CB0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CE0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D10000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D40000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D70000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DA0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DD0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E00000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E30000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E60000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E90000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EC0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EF0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F20000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F50000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F80000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FB0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FE0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19010000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19040000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19070000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190A0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190D0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19100000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19130000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19160000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19190000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191C0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191F0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19220000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19250000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19280000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192B0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192E0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19310000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19340000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19370000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193A0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193D0000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19430000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19460000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19490000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 194C0000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 401000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 40F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 411000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 413000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18230000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18231000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1823F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18241000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18243000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18260000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18261000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1826F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18271000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18273000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18290000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18291000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1829F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182A3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182C0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182CF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182D3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182F0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 182FF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18301000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18303000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18320000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18321000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1832F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18331000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18333000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18350000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18351000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1835F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18361000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18363000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18380000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18381000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1838F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18391000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18393000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183B0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183BF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183C3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183E0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183EF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 183F3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18410000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18411000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1841F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18421000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18423000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18440000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18441000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1844F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18451000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18453000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18470000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18471000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1847F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18481000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18483000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184A0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184AF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184B3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184D0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184DF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 184E3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18500000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18501000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1850F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18511000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18513000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18530000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18531000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1853F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18541000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18543000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18560000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18561000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1856F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18571000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18573000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18590000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18591000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1859F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185A3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185C0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185CF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185D3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185F0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 185FF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18601000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18603000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18620000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18621000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1862F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18631000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18633000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18650000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18651000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1865F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18661000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18663000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18680000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18681000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1868F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18691000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18693000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186B0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186BF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186C3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186E0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186EF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 186F3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18710000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18711000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1871F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18721000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18723000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18740000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18741000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1874F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18751000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18753000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18770000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18771000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1877F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18781000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18783000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187A0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187AF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187B3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187D0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187DF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 187E3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18800000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18801000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1880F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18811000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18813000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18830000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18831000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1883F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18841000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18843000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18860000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18861000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1886F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18871000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18873000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18890000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18891000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1889F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188A3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188C0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188CF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188D3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188F0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 188FF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18901000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18903000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18920000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18921000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1892F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18931000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18933000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18950000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18951000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1895F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18961000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18963000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18980000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18981000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1898F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18991000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18993000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189B0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189BF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189C3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189E0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189EF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 189F3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A10000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A11000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A1F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A21000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A23000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A40000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A41000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A4F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A51000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A53000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A70000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A71000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A7F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A81000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18A83000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AA0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AA1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AAF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AB1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AB3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AD0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AD1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18ADF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AE1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18AE3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B00000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B01000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B0F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B11000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B13000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B30000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B31000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B3F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B41000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B43000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B60000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B61000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B6F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B71000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B73000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B90000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B91000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18B9F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BA1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BA3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BC0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BC1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BCF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BD1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BD3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BF0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BF1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18BFF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C01000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C03000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C20000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C21000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C2F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C31000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C33000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C50000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C51000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C5F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C61000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C63000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C80000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C81000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C8F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C91000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18C93000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CB0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CB1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CBF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CC1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CC3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CE0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CE1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CEF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CF1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18CF3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D10000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D11000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D1F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D21000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D23000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D40000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D41000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D4F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D51000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D53000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D70000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D71000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D7F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D81000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18D83000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DA0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DA1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DAF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DB1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DB3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DD0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DD1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DDF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DE1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18DE3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E00000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E01000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E0F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E11000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E13000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E30000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E31000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E3F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E41000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E43000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E60000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E61000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E6F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E71000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E73000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E90000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E91000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18E9F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EA1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EA3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EC0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EC1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18ECF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18ED1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18ED3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EF0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EF1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18EFF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F01000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F03000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F20000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F21000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F2F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F31000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F33000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F50000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F51000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F5F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F61000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F63000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F80000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F81000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F8F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F91000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18F93000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FB0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FB1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FBF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FC1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FC3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FE0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FE1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FEF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FF1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 18FF3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19010000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19011000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1901F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19021000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19023000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19040000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19041000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1904F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19051000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19053000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19070000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19071000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1907F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19081000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19083000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190A0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190AF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190B3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190D0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190DF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 190E3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19100000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19101000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1910F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19111000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19113000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19130000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19131000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1913F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19141000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19143000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19160000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19161000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1916F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19171000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19173000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19190000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19191000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1919F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191A3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191C0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191CF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191D3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191F0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 191FF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19201000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19203000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19220000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19221000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1922F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19231000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19233000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19250000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19251000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1925F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19261000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19263000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19280000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19281000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1928F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19291000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19293000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192B0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192BF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192C1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192C3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192E0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192EF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192F1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 192F3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19310000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19311000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1931F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19321000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19323000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19340000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19341000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1934F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19351000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19353000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19370000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19371000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1937F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19381000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19383000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193A0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193AF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193B1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193B3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193D0000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193D1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193DF000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193E1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 193E3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19400000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19401000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1940F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19411000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19413000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19430000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19431000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1943F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19441000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19443000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19460000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19461000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1946F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19471000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19473000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19490000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 19491000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 1949F000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 194A1000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeMemory written: C:\Windows\System32\winlogon.exe base: 194A3000Jump to behavior
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040A517 GetCurrentProcessId,GetProcAddress,SetErrorMode,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,GetUserDefaultUILanguage,0_2_0040A517
      Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
      Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: winlogon.exe, 00000002.00000000.1997732559.000001E858D81000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041C694 CreateNamedPipeW,CreateEventW,CreateEventW,CreateThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,0_2_0041C694
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_00415492 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_00415492
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0040A8B2 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,CloseHandle,CloseHandle,0_2_0040A8B2
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041D16C PathCombineW,PathCombineW,GetModuleFileNameA,GetTimeZoneInformation,GetVersionExW,lstrlenW,0_2_0041D16C
      Source: C:\Users\user\Desktop\nwVe0gplCc.exeCode function: 0_2_0041D16C PathCombineW,PathCombineW,GetModuleFileNameA,GetTimeZoneInformation,GetVersionExW,lstrlenW,0_2_0041D16C
      Source: nwVe0gplCc.exe, 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zlclient.exe

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure1
      Valid Accounts      		3
      Native API      		1
      Valid Accounts      		1
      Valid Accounts      		2
      Masquerading      		OS Credential Dumping2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder      		11
      Access Token Manipulation      		1
      Valid Accounts      		LSASS Memory2
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		42
      Process Injection      		2
      Virtualization/Sandbox Evasion      		Security Account Manager2
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      Registry Run Keys / Startup Folder      		11
      Access Token Manipulation      		NTDS3
      Process Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
      DLL Side-Loading      		42
      Process Injection      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Install Root Certificate      		Cached Domain Credentials1
      Account Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Software Packing      		DCSync1
      System Owner/User Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc Filesystem1
      File and Directory Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
      System Information Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      nwVe0gplCc.exe95%ReversingLabsWin32.Trojan.Zeus
      nwVe0gplCc.exe100%AviraTR/Spy.Agent.42498
      nwVe0gplCc.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Windows\SysWOW64\ntos.exe100%AviraTR/Spy.Agent.42498
      C:\Windows\SysWOW64\ntos.exe100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://onlineeast#.bankofamerica.com/cgi-bin/ias/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://onlineeast#.bankofamerica.com/cgi-bin/ias/nwVe0gplCc.exe, 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1430646
      Start date and time:2024-04-24 01:31:07 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 56s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:4
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:1
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:nwVe0gplCc.exe
      renamed because original name is a hash value
      Original Sample Name:0339f68638bc40495d8b049bc8def331.bin.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@1/2@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 14
      • Number of non-executed functions: 153
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtWriteVirtualMemory calls found.
      • VT rate limit hit for: nwVe0gplCc.exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      01:32:45API Interceptor3256x Sleep call for process: nwVe0gplCc.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Windows\SysWOW64\ntos.exe

      Download File
      Process:C:\Users\user\Desktop\nwVe0gplCc.exe
      File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
      Category:modified
      Size (bytes):4979200
      Entropy (8bit):7.413603749684846
      Encrypted:false
      SSDEEP:98304:dlTZzTMTCIkXpfL8fmSONR2VibjsQ+F9A0nF+WlNbYTGJ:rZHaCIkZfL8fmSQsVsQJjFFUTGJ
      MD5:DA343B1D30B70FD5E1859AD1DB758C20
      SHA1:1468FF4BEFBE9148E329F81C0E776732A8EF07C2
      SHA-256:CF9DD1D53228A4C63F092AAC326B9E95F8664EA322E263F570297FC85526913F
      SHA-512:1754408166AFC8DED68DE6F3F1FD271C54A5AC2FCC0177D20A33ABC89C98D0A6B39A15F21800A32051A5DF10E4C750347DB145518235D4783866B99CCD8666CE
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:low
      Preview:MZ................6.`............O...'... ......................^}f}(@.M.G.R.R.U.`.\4.<h..(..#.^}f}(@..NzV.Q.S.FW5.;..}L.&Q.S.e.......M./6!`..5$W..PE..L.....z8..............X......&.......0...0........@.......................... .............................................. 0.......................................................................................................................dwp................................@....ryf................................@....avozuj.P...........................@....pwz.........0...................... ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\SysWOW64\ntos.exe:Zone.Identifier

      Download File
      Process:C:\Users\user\Desktop\nwVe0gplCc.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:false
      Reputation:high, very likely benign file
      Preview:[ZoneTransfer]....ZoneId=0

      Static File Info

      General

      File type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
      Entropy (8bit):7.4133017540238475
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.98%
      • DOS Executable Generic (2002/1) 0.02%
      File name:nwVe0gplCc.exe
      File size:4'896'768 bytes
      MD5:0339f68638bc40495d8b049bc8def331
      SHA1:bacce3177bee1879b70f494670c2ea353135ccc8
      SHA256:3677070874e81e997c23f5a5a6279d60ef0e73617f9a2fdf4622c06f1958ee02
      SHA512:b833a8523a5f858e51ba5c7702923c2f3be7c6c295d01021f18d4569c8d28cfe0506cf0a53de4d7958cb2d089ee9167bd6af7dfe1a8e0cddd2435e2d877cbb03
      SSDEEP:98304:dlTZzTMTCIkXpfL8fmSONR2VibjsQ+F9A0nF+WlNbYTGL:rZHaCIkZfL8fmSQsVsQJjFFUTGL
      TLSH:65363362BECC8378F35328FBD522EC651189370B4D7389476ABA58DB4F175E9402722E
      File Content Preview:MZ................6.`............O...'... ......................^}f}(@.M.G.R.R.U.`.\4.<h..(...#.^}f}(@..NzV.Q.S.FW5.;..}L.&Q.S.e.......M./6!`..5$W..PE..L.....z8..............X......&.......0...0........@.......................... .........................

      File Icon

      Icon Hash:00928e8e8686b000

      Static PE Info

      General

      Entrypoint:0x4130a1
      Entrypoint Section:.pwz
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x387AFC9D [Tue Jan 11 09:49:17 2000 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:7794f1c417f53b4eaf5f84c39d736981

      Entrypoint Preview

      Instruction
      xor ebx, ebx
      inc edi
      mov eax, 00000000h
      xor eax, eax
      mov edi, 00000000h
      mov ebx, edi
      mov ebx, 0000009Ch
      mov ebx, 004130E4h
      xor edi, ebx
      mov edi, 000000EAh
      mov edi, 004132F2h
      inc byte ptr [ebx]
      inc ebx
      cmp ebx, 004132F2h
      jne 00007FC380823027h
      inc eax
      mov ecx, 00000000h
      xor ecx, eax
      cmp eax, 00019AA8h
      jne 00007FC380822FFBh
      xor ebx, edi
      call 00007FC3DD66191Dh
      jl 00007FC380822FF0h
      mov ebx, dword ptr [eax]
      rcl byte ptr [edi+57h], 00000058h
      pop eax
      ror byte ptr [esi], FFFFFFCCh
      int B5h
      sar byte ptr [edx+5Fh], 0000003Ch
      leave
      rcr al, 00000047h
      push eax
      insd
      rol byte ptr [eax+esi*4-45h], 0000002Eh
      jecxz 00007FC380823086h
      mov esi, B2A590D9h
      int 6Bh
      jecxz 00007FC380822FDAh
      xchg eax, esp
      fst dword ptr [edx+58h]
      push 60CF5858h
      mov esi, A86894D9h
      popfd
      int3
      pop edi
      test dword ptr [eax+58h], ebx
      pop ecx
      pop eax
      inc ebx
      aaa
      test al, E3h
      int3
      push DB485BD0h
      push ds
      jo 00007FC38082301Dh
      add eax, 05A805A8h
      test al, 5Bh
      sbb ebp, dword ptr [eax+44E3A805h]
      jecxz 00007FC380822FD7h
      push CDE32A8Bh
      pop esp
      jecxz 00007FC380822FC0h
      pop ebx
      dec ebx
      mov ebx, dword ptr [eax]
      test al, 19h
      and byte ptr [edi-77h], bl
      pop esp
      jl 00007FC380823036h
      fcomp qword ptr [eax]
      int 4Dh
      mov al, AFh
      fst dword ptr [edi+58585757h]
      int3
      popad
      xchg eax, ebx
      pop edi
      int3

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x130200x8d.pwz
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .dwp0x10000xd4060x88000c937f41db8eb98e60190c6950df67c5False0.9919577205882353data7.966129493293342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ryf0xf0000x13000x4007d3be68905e211fa21205f350e9eac2eFalse0.6220703125data5.3893021450025085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .avozuj0x110000x11500x1200341b52202affd34cd6c0182283488c80False0.9259982638888888data7.557018371711153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pwz0x130000xf0000x400b9c214c152cc33bc12c4a4220a8b77efFalse0.578125data5.14058216288158IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

      Imports

      DLLImport
      ole32.dllCoCreateInstance, CoDisconnectObject, CoGetClassObject

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:01:31:51
      Start date:24/04/2024
      Path:C:\Users\user\Desktop\nwVe0gplCc.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\nwVe0gplCc.exe"
      Imagebase:0x400000
      File size:4'896'768 bytes
      MD5 hash:0339F68638BC40495D8B049BC8DEF331
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_Zues, Description: Yara detected Zues, Source: 00000000.00000002.3243321217.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
      Reputation:low
      Has exited:false

      General

      Target ID:2
      Start time:01:31:52
      Start date:24/04/2024
      Path:C:\Windows\System32\winlogon.exe
      Wow64 process (32bit):false
      Commandline:winlogon.exe
      Imagebase:0x7ff6156c0000
      File size:906'240 bytes
      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:false

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:3.6%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:21%
        Total number of Nodes:424
        Total number of Limit Nodes:10
        execution_graph 9381 4130dd 9382 4130e4 VirtualProtect 9381->9382 9384 4131dc VirtualProtect 9382->9384 9385 4131ff 9384->9385 9385->9384 9386 413215 9385->9386 9392 409800 SHGetSpecialFolderPathW 9386->9392 9393 408e3f 9386->9393 9396 404e7f 9386->9396 9482 409672 SetFileAttributesW DeleteFileW 9386->9482 9387 41321c 9392->9387 9394 408e47 RtlAllocateHeap 9393->9394 9395 408e5a 9393->9395 9394->9387 9395->9387 9483 40a517 9396->9483 9399 404eae GetCommandLineA 9400 404ec1 lstrlen 9399->9400 9401 404f0d CreateMutexW GetLastError 9399->9401 9567 40ac74 9400->9567 9402 404f33 9401->9402 9441 405286 9401->9441 9501 404def CreateToolhelp32Snapshot Process32FirstW 9402->9501 9404 404ea4 9404->9387 9405 40528c CloseHandle 9405->9404 9407 404f38 9507 4090ce OpenMutexW 9407->9507 9410 404f4e 9413 404f57 9410->9413 9414 40501d GetModuleFileNameW 9410->9414 9411 404ed8 9411->9401 9573 408ef2 9411->9573 9416 404f90 9413->9416 9579 4090f0 9413->9579 9510 4098b6 9414->9510 9417 4090f0 14 API calls 9416->9417 9420 404fac 9417->9420 9418 40503d lstrcmpiW 9421 405061 9418->9421 9422 4051ce 9418->9422 9424 404fcc 9420->9424 9425 404fbd 9420->9425 9513 4099fb lstrlenW RegCreateKeyExW 9421->9513 9426 4099fb 15 API calls 9422->9426 9431 4090f0 14 API calls 9424->9431 9429 4090f0 14 API calls 9425->9429 9430 4051d6 9426->9430 9428 404f7e CloseHandle 9462 404f8b 9428->9462 9433 404fc7 9429->9433 9436 405200 9430->9436 9437 4051dc 9430->9437 9434 404fd6 9431->9434 9433->9414 9600 409672 SetFileAttributesW DeleteFileW 9433->9600 9438 4090ce 2 API calls 9434->9438 9537 40a8b2 CreateToolhelp32Snapshot 9436->9537 9440 4051e5 9437->9440 9437->9441 9442 404fe3 9438->9442 9439 405072 CopyFileW SetFileAttributesW CreateFileW 9444 4051bd SetFileAttributesW 9439->9444 9445 4050bd SetFilePointer 9439->9445 9447 4090f0 14 API calls 9440->9447 9441->9404 9441->9405 9442->9433 9456 404fe8 Sleep 9442->9456 9444->9430 9449 4050cc 9445->9449 9450 40513d SHGetSpecialFolderPathW PathCombineW CreateFileW 9445->9450 9454 4051f8 9447->9454 9532 4096da GetTickCount 9449->9532 9451 4051b4 CloseHandle 9450->9451 9452 405185 GetFileTime SetFileTime FindCloseChangeNotification 9450->9452 9451->9444 9452->9451 9453 405013 9459 408e5d RtlFreeHeap 9453->9459 9454->9441 9460 4090ce 2 API calls 9456->9460 9459->9462 9460->9442 9461 405230 9464 405235 Sleep 9461->9464 9469 405254 9461->9469 9462->9414 9463 408e3f RtlAllocateHeap 9467 4050e8 9463->9467 9465 406a2e 14 API calls 9464->9465 9465->9461 9466 4090ce 2 API calls 9466->9469 9467->9450 9468 40511d WriteFile FlushFileBuffers 9467->9468 9470 4096da GetTickCount 9467->9470 9534 408e5d 9468->9534 9469->9466 9472 405270 9469->9472 9473 405256 Sleep 9469->9473 9470->9467 9601 40ae7a 9472->9601 9473->9469 9482->9387 9640 40a4e3 9483->9640 9485 40a530 9486 404e9f 9485->9486 9487 408e3f RtlAllocateHeap 9485->9487 9486->9399 9486->9404 9490 40a53f 9487->9490 9488 408e3f RtlAllocateHeap 9488->9490 9490->9486 9490->9488 9491 40a5c7 GetCurrentProcessId 9490->9491 9492 408e5d RtlFreeHeap 9490->9492 9647 40a23e 9490->9647 9493 40a601 InitializeSecurityDescriptor SetSecurityDescriptorDacl OpenProcessToken 9491->9493 9494 40a5e2 GetProcAddress 9491->9494 9492->9490 9496 40a6a2 GetUserDefaultUILanguage 9493->9496 9497 40a647 LookupPrivilegeValueW 9493->9497 9494->9493 9495 40a5fa SetErrorMode 9494->9495 9495->9493 9496->9486 9498 40a699 FindCloseChangeNotification 9497->9498 9499 40a65e AdjustTokenPrivileges GetLastError 9497->9499 9498->9496 9499->9498 9500 40a693 9499->9500 9500->9498 9502 404e72 FindCloseChangeNotification 9501->9502 9505 404e24 9501->9505 9502->9407 9503 404e5f Process32NextW 9503->9505 9506 404e71 9503->9506 9504 404e2f lstrcmpiW 9504->9505 9505->9503 9505->9504 9506->9502 9508 4090e3 9507->9508 9509 4090e6 CloseHandle 9507->9509 9508->9410 9509->9410 9697 409800 SHGetSpecialFolderPathW 9510->9697 9512 4098c1 PathCombineW 9512->9418 9514 409a3c RegQueryValueExW 9513->9514 9515 409b3f RegCreateKeyExW 9513->9515 9516 408e3f RtlAllocateHeap 9514->9516 9517 409b61 RegSetValueExW RegCloseKey 9515->9517 9518 405066 9515->9518 9519 409a67 9516->9519 9517->9518 9531 409672 SetFileAttributesW DeleteFileW 9518->9531 9520 409a72 RegQueryValueExW 9519->9520 9521 409b2f RegCloseKey 9519->9521 9522 409a8e 9520->9522 9521->9518 9523 409b3c 9521->9523 9524 409aa7 StrCmpNIW 9522->9524 9525 409ac8 lstrlenW 9522->9525 9523->9515 9524->9522 9526 409ac4 9524->9526 9527 409ae4 lstrcpyW lstrcpyW RegSetValueExW 9525->9527 9528 409ad5 9525->9528 9529 408e5d RtlFreeHeap 9526->9529 9527->9526 9528->9527 9530 409b2e 9529->9530 9530->9521 9531->9439 9533 4050d8 9532->9533 9533->9463 9533->9467 9535 408e64 RtlFreeHeap 9534->9535 9536 40513c 9534->9536 9535->9536 9536->9450 9538 40a8d6 9537->9538 9539 405219 9537->9539 9540 40a904 lstrcpyW 9538->9540 9541 40a8e6 GetUserNameW 9538->9541 9557 406a2e 9539->9557 9542 40a919 SHGetSpecialFolderPathW Process32FirstW 9540->9542 9541->9542 9543 40a8fb 9541->9543 9544 40aa5c 9542->9544 9543->9542 9545 40aa64 CloseHandle 9544->9545 9546 40a958 lstrcmpiW 9544->9546 9545->9539 9547 40a970 OpenProcess 9546->9547 9548 40aa4e Process32NextW 9546->9548 9547->9548 9549 40a98c K32GetModuleFileNameExW 9547->9549 9548->9544 9550 40aa47 CloseHandle 9549->9550 9551 40a9a8 PathCombineW 9549->9551 9550->9548 9554 40a9c9 9551->9554 9552 40aa03 lstrcmpiW 9552->9550 9552->9554 9554->9550 9554->9552 9555 40aa2f lstrcmpiW 9554->9555 9698 409c7d OpenProcessToken 9554->9698 9555->9550 9556 40aa73 CloseHandle CloseHandle 9555->9556 9556->9539 9558 406a41 9557->9558 9559 406a62 9557->9559 9560 406a49 OpenProcess 9558->9560 9561 406a5e 9558->9561 9709 40626a VirtualAllocEx 9559->9709 9560->9559 9560->9561 9561->9461 9564 406a96 9564->9561 9566 406a9b CloseHandle 9564->9566 9565 406a7a CreateRemoteThread FindCloseChangeNotification 9565->9564 9566->9561 9568 40ac82 9567->9568 9571 40ac86 9567->9571 9568->9411 9569 40ad0c 9569->9411 9571->9569 9722 40a1f4 9571->9722 9729 40a362 9571->9729 9574 408efb 9573->9574 9578 404f0b 9573->9578 9575 408e5d RtlFreeHeap 9574->9575 9576 408f17 9574->9576 9574->9578 9575->9574 9577 408e5d RtlFreeHeap 9576->9577 9577->9578 9578->9401 9734 408f21 lstrcpyW lstrcpyW 9579->9734 9581 409112 9582 409137 CreateFileW 9581->9582 9584 404f70 9581->9584 9585 409125 WaitNamedPipeW 9581->9585 9582->9581 9583 409153 SetNamedPipeHandleState 9582->9583 9586 40924a CloseHandle 9583->9586 9587 40916f WriteFile 9583->9587 9584->9416 9584->9428 9585->9582 9586->9584 9587->9586 9588 40918b WriteFile 9587->9588 9588->9586 9589 4091a4 WriteFile 9588->9589 9589->9586 9590 4091be ReadFile 9589->9590 9590->9586 9591 4091d3 9590->9591 9591->9586 9592 4091d8 ReadFile 9591->9592 9593 4091f0 9592->9593 9594 409233 9592->9594 9593->9586 9593->9594 9595 408e3f RtlAllocateHeap 9593->9595 9594->9586 9596 409202 9595->9596 9597 40921d 9596->9597 9598 409209 ReadFile 9596->9598 9597->9594 9599 408e5d RtlFreeHeap 9597->9599 9598->9597 9599->9594 9600->9453 9735 409800 SHGetSpecialFolderPathW 9601->9735 9603 40ae91 6 API calls 9604 405275 9603->9604 9605 4049d1 9604->9605 9606 408e3f RtlAllocateHeap 9605->9606 9607 4049e8 FindFirstUrlCacheEntryA 9606->9607 9608 404a10 DeleteUrlCacheEntry 9607->9608 9609 404a42 9607->9609 9736 40a38f 9608->9736 9611 408e5d RtlFreeHeap 9609->9611 9613 404a48 SHGetSpecialFolderPathW 9611->9613 9612 404a25 FindNextUrlCacheEntryA 9612->9608 9614 404a39 FindCloseUrlCache 9612->9614 9615 404a63 PathCombineW 9613->9615 9616 404a87 9613->9616 9614->9609 9738 409dd1 PathCombineW FindFirstFileW 9615->9738 9618 404a8d 9616->9618 9748 409f48 9618->9748 9621 404aa7 9637 4032fd 9621->9637 9622 404aae LoadLibraryA GetProcAddress 9628 404d85 9622->9628 9631 404af1 9622->9631 9625 408e5d RtlFreeHeap 9626 404dd0 9625->9626 9785 409f95 9626->9785 9754 40af5d 9628->9754 9629 404b92 StrStrW 9629->9631 9630 408e3f RtlAllocateHeap 9630->9631 9631->9628 9631->9629 9631->9630 9632 404c93 lstrlenW 9631->9632 9634 404c46 WideCharToMultiByte 9631->9634 9635 404cbc WideCharToMultiByte 9631->9635 9636 408e5d RtlFreeHeap 9631->9636 9633 40a362 2 API calls 9632->9633 9633->9631 9634->9631 9635->9631 9636->9631 9811 4031a0 CertOpenSystemStoreW 9637->9811 9656 40a002 9640->9656 9642 40a4ec 9643 40a4f1 9642->9643 9644 40a4f2 GetProcessHeap 9642->9644 9643->9485 9682 40994e 9644->9682 9648 40a245 9647->9648 9649 40a248 9647->9649 9648->9490 9650 40a260 9649->9650 9651 40a254 lstrlen 9649->9651 9652 408e3f RtlAllocateHeap 9650->9652 9651->9650 9653 40a26a 9652->9653 9654 40a271 MultiByteToWideChar 9653->9654 9655 40a288 9653->9655 9654->9655 9655->9490 9687 4094ef 9656->9687 9659 40a01f 9659->9642 9660 4094ef 2 API calls 9661 40a033 9660->9661 9661->9659 9662 40a05a 9661->9662 9663 4094ef 2 API calls 9661->9663 9664 4094ef 2 API calls 9662->9664 9680 40a190 9662->9680 9663->9662 9665 40a07b 9664->9665 9666 4094ef 2 API calls 9665->9666 9665->9680 9667 40a09c 9666->9667 9668 40a0c2 9667->9668 9669 4094ef 2 API calls 9667->9669 9667->9680 9670 4094ef 2 API calls 9668->9670 9668->9680 9669->9668 9671 40a0e3 9670->9671 9672 40a109 9671->9672 9673 4094ef 2 API calls 9671->9673 9671->9680 9674 40a12f 9672->9674 9675 4094ef 2 API calls 9672->9675 9672->9680 9673->9672 9676 4094ef 2 API calls 9674->9676 9678 40a151 9674->9678 9674->9680 9675->9674 9676->9678 9677 4094ef 2 API calls 9679 40a16e 9677->9679 9678->9677 9678->9680 9679->9680 9681 4094ef 2 API calls 9679->9681 9680->9642 9681->9680 9683 4099a6 9682->9683 9684 40995f IsBadHugeReadPtr 9682->9684 9683->9485 9685 40996c 9684->9685 9685->9683 9685->9684 9686 40997d IsBadHugeReadPtr 9685->9686 9686->9685 9695 4094b5 9687->9695 9690 409515 9691 409549 9690->9691 9692 40951b 9690->9692 9691->9659 9691->9660 9692->9691 9693 40952f GetProcAddress 9692->9693 9693->9692 9694 409550 9693->9694 9694->9691 9696 4094c7 LoadLibraryA 9695->9696 9696->9690 9696->9691 9697->9512 9699 409d14 9698->9699 9700 409c9c GetTokenInformation 9698->9700 9699->9554 9701 408e3f RtlAllocateHeap 9700->9701 9702 409cb9 9701->9702 9703 409cc0 GetTokenInformation 9702->9703 9704 409d0a FindCloseChangeNotification 9702->9704 9705 409cd7 LookupAccountSidW 9703->9705 9706 409d01 9703->9706 9704->9699 9705->9706 9707 408e5d RtlFreeHeap 9706->9707 9708 409d09 9707->9708 9708->9704 9710 4062b7 9709->9710 9711 406299 VirtualAllocEx 9709->9711 9712 408e3f RtlAllocateHeap 9710->9712 9711->9710 9713 4062b0 9711->9713 9721 4062bf 9712->9721 9713->9564 9713->9565 9714 40634d VirtualAllocEx 9714->9713 9715 40636d WriteProcessMemory VirtualProtectEx 9714->9715 9716 406405 9715->9716 9717 4063a5 9715->9717 9719 408e5d RtlFreeHeap 9716->9719 9718 4063a8 VirtualAllocEx 9717->9718 9718->9713 9720 4063c8 WriteProcessMemory VirtualProtectEx 9718->9720 9719->9713 9720->9716 9720->9718 9721->9713 9721->9714 9723 40a1fb 9722->9723 9724 40a1fe 9722->9724 9723->9571 9725 40a211 9724->9725 9726 40a207 lstrlen 9724->9726 9727 408e3f RtlAllocateHeap 9725->9727 9726->9725 9728 40a21c 9727->9728 9728->9571 9730 40a384 9729->9730 9731 40a369 RtlReAllocateHeap 9729->9731 9732 408e3f RtlAllocateHeap 9730->9732 9731->9571 9733 40a38d 9732->9733 9733->9571 9734->9581 9735->9603 9737 40a39e 9736->9737 9737->9612 9739 409eb7 9738->9739 9743 409e12 9738->9743 9739->9616 9740 409e49 PathMatchSpecW 9741 409e5d PathCombineW 9740->9741 9742 409e99 FindNextFileW 9740->9742 9741->9743 9742->9743 9744 409eaf FindClose 9742->9744 9743->9740 9743->9741 9743->9742 9745 409dd1 2 API calls 9743->9745 9747 409672 SetFileAttributesW DeleteFileW 9743->9747 9744->9739 9745->9743 9747->9743 9749 409f54 9748->9749 9750 4090f0 14 API calls 9749->9750 9751 409f70 9750->9751 9752 404aa1 9751->9752 9794 4095b5 9751->9794 9752->9621 9752->9622 9755 40af70 GetCurrentThread GetThreadPriority SetThreadPriority 9754->9755 9784 404dc8 9754->9784 9756 408e3f RtlAllocateHeap 9755->9756 9757 40afa5 9756->9757 9758 40afb7 wvnsprintfA lstrlen GetTickCount GetSystemTime 9757->9758 9765 40afae SetThreadPriority 9757->9765 9760 40b010 9758->9760 9798 409554 9760->9798 9762 40b104 9763 408e5d RtlFreeHeap 9762->9763 9764 40b10d 9763->9764 9764->9765 9802 4099b0 9764->9802 9765->9784 9767 40b11a 9805 40968e CreateMutexW WaitForSingleObject 9767->9805 9769 40b127 9769->9765 9770 40b140 9769->9770 9771 4090f0 14 API calls 9770->9771 9772 40b153 CreateFileW 9771->9772 9773 40b176 SetFilePointer WriteFile 9772->9773 9774 40b1fa SetThreadPriority 9772->9774 9775 40b1ec FlushFileBuffers CloseHandle 9773->9775 9776 40b19d 9773->9776 9777 4090f0 14 API calls 9774->9777 9775->9774 9776->9775 9778 40b1a2 WriteFile 9776->9778 9779 40b219 9777->9779 9780 40b1b7 SetFilePointer SetEndOfFile 9778->9780 9781 40b1be WriteFile 9778->9781 9809 4096c5 ReleaseMutex CloseHandle 9779->9809 9780->9775 9781->9775 9781->9780 9784->9625 9786 408e3f RtlAllocateHeap 9785->9786 9788 409fa9 9786->9788 9787 409fb0 9787->9621 9788->9787 9789 409554 RtlAllocateHeap 9788->9789 9790 409fd6 9789->9790 9791 4090f0 14 API calls 9790->9791 9792 409fed 9791->9792 9793 408e5d RtlFreeHeap 9792->9793 9793->9787 9795 4095c9 9794->9795 9797 4095c3 9794->9797 9796 408e3f RtlAllocateHeap 9795->9796 9796->9797 9797->9752 9799 409568 9798->9799 9801 409562 9798->9801 9800 408e3f RtlAllocateHeap 9799->9800 9800->9801 9801->9762 9810 409800 SHGetSpecialFolderPathW 9802->9810 9804 4099c5 PathCombineW CreateDirectoryW SetFileAttributesW 9804->9767 9806 4096c1 9805->9806 9807 4096af 9805->9807 9806->9769 9807->9806 9808 4096b6 CloseHandle 9807->9808 9808->9769 9809->9784 9810->9804 9812 4031c4 PFXExportCertStore 9811->9812 9813 4032f6 9811->9813 9814 4031e2 9812->9814 9815 4032ee CertCloseStore 9812->9815 9813->9454 9816 409f48 14 API calls 9814->9816 9818 4031fb 9814->9818 9815->9813 9816->9818 9817 408e5d RtlFreeHeap 9819 403218 9817->9819 9818->9817 9820 403222 9819->9820 9821 408e3f RtlAllocateHeap 9819->9821 9820->9815 9822 40323c 9821->9822 9822->9820 9823 403248 PFXExportCertStore 9822->9823 9824 403260 GetSystemTime wnsprintfW 9823->9824 9825 4032e4 9823->9825 9834 40b229 9824->9834 9827 408e5d RtlFreeHeap 9825->9827 9827->9820 9828 4032a8 9828->9825 9829 409f95 14 API calls 9828->9829 9830 4032bb CertEnumCertificatesInStore 9829->9830 9830->9825 9832 4032c4 CertDuplicateCertificateContext 9830->9832 9832->9830 9833 4032cf CertDeleteCRLFromStore 9832->9833 9833->9830 9835 40b23b 9834->9835 9836 40b23f 9834->9836 9835->9828 9840 40b247 9836->9840 9867 40a1a4 9836->9867 9838 40b265 9839 40b274 GetTickCount 9838->9839 9838->9840 9841 4099b0 4 API calls 9839->9841 9840->9828 9842 40b282 9841->9842 9876 409800 SHGetSpecialFolderPathW 9842->9876 9844 40b28e PathCombineW 9845 40b2a9 wnsprintfW PathCombineW PathFileExistsW 9844->9845 9846 40b2a6 9845->9846 9847 40b2ef CreateFileW 9845->9847 9846->9845 9847->9840 9848 40b317 lstrlen 9847->9848 9849 409554 RtlAllocateHeap 9848->9849 9850 40b329 9849->9850 9851 40b337 WriteFile 9850->9851 9852 40b3cd CloseHandle 9850->9852 9854 40b363 9851->9854 9855 40b34f WriteFile 9851->9855 9852->9840 9853 40b3d9 9852->9853 9877 409672 SetFileAttributesW DeleteFileW 9853->9877 9857 408e5d RtlFreeHeap 9854->9857 9855->9854 9858 40b36b 9857->9858 9858->9852 9859 409554 RtlAllocateHeap 9858->9859 9860 40b37f 9859->9860 9860->9852 9861 40b389 WriteFile 9860->9861 9862 40b3a1 WriteFile 9861->9862 9863 40b3b5 9861->9863 9862->9863 9864 408e5d RtlFreeHeap 9863->9864 9865 40b3bd 9864->9865 9865->9852 9866 40b3c2 FlushFileBuffers 9865->9866 9866->9852 9868 40a1b1 9867->9868 9869 40a1ad 9867->9869 9870 40a1c4 9868->9870 9871 40a1ba lstrlenW 9868->9871 9869->9838 9872 408e3f RtlAllocateHeap 9870->9872 9871->9870 9873 40a1cf 9872->9873 9874 40a1d6 WideCharToMultiByte 9873->9874 9875 40a1ee 9873->9875 9874->9875 9875->9838 9876->9844 9877->9840

        Executed Functions

        Function 0040A8B2 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 136processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 118 40a8b2-40a8cd CreateToolhelp32Snapshot 119 40a8d6-40a8e4 118->119 120 40a8cf-40a8d1 118->120 122 40a904-40a913 lstrcpyW 119->122 123 40a8e6-40a8f9 GetUserNameW 119->123 121 40aa6f-40aa72 120->121 124 40a919-40a953 SHGetSpecialFolderPathW Process32FirstW 122->124 123->124 125 40a8fb-40a902 123->125 126 40aa5c-40aa5e 124->126 125->124 127 40aa64-40aa6b CloseHandle 126->127 128 40a958-40a96a lstrcmpiW 126->128 131 40aa6e 127->131 129 40a970-40a986 OpenProcess 128->129 130 40aa4e-40aa56 Process32NextW 128->130 129->130 132 40a98c-40a9a2 K32GetModuleFileNameExW 129->132 130->126 131->121 133 40aa47-40aa48 CloseHandle 132->133 134 40a9a8-40a9c7 PathCombineW 132->134 133->130 135 40a9f6-40a9fd 134->135 136 40a9c9-40a9d1 134->136 138 40aa03-40aa0c lstrcmpiW 135->138 136->135 137 40a9d3-40a9db 136->137 137->135 139 40a9dd-40a9e5 137->139 138->133 140 40aa0e-40aa11 138->140 139->135 141 40a9e7-40a9f4 139->141 142 40aa13-40aa19 140->142 143 40aa1c-40aa24 call 409c7d 140->143 141->138 142->143 145 40aa29-40aa2d 143->145 145->133 146 40aa2f-40aa45 lstrcmpiW 145->146 146->133 147 40aa73-40aa87 CloseHandle * 2 146->147 147->131
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A8C2
        • GetUserNameW.ADVAPI32(?,00000103), ref: 0040A8F1
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000001,00000000,?,00000000), ref: 0040A935
        • Process32FirstW.KERNEL32(00000000,?), ref: 0040A94D
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040AA65
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040AA74
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040AA7B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseHandle$CreateFirstFolderNamePathProcess32SnapshotSpecialToolhelp32User
        • String ID: ?$?$\$\$`)~
        • API String ID: 4249123633-197138563
        • Opcode ID: 9c4be4d30dca1eccdfcaeb7e6699d8e2cbb2ead35a2ace792b5a5f173221e444
        • Instruction ID: e0a7a74fa0ba0af1d0cd6b6ee9fc11b2351aa955c4a86c67917bdcdf82052461
        • Opcode Fuzzy Hash: 9c4be4d30dca1eccdfcaeb7e6699d8e2cbb2ead35a2ace792b5a5f173221e444
        • Instruction Fuzzy Hash: 5D512CB1A00319AADB31DB60DE48EEB77BCBF44305F1041B6E606F2590D7349A98DF59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A517 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,0040419B,0000007E,LoadLibraryA), ref: 0040A5C7
        • GetProcAddress.KERNEL32(?), ref: 0040A5F0
        • SetErrorMode.KERNELBASE(00008007,?,?,?,?,?,0040419B,0000007E), ref: 0040A5FF
        • InitializeSecurityDescriptor.ADVAPI32(0040FCE0,00000001,?,?,?,?,?,0040419B,0000007E), ref: 0040A60B
        • SetSecurityDescriptorDacl.ADVAPI32(0040FCE0,00000001,00000000,00000000,?,?,?,?,?,0040419B,0000007E), ref: 0040A615
        • OpenProcessToken.ADVAPI32(00000028,0000007E,?,?,?,?,?,0040419B,0000007E), ref: 0040A63D
        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00000001), ref: 0040A654
        • AdjustTokenPrivileges.KERNELBASE(0000007E,00000000,?,00000010,00000000,00000000), ref: 0040A680
        • GetLastError.KERNEL32 ref: 0040A686
        • FindCloseChangeNotification.KERNELBASE(0000007E,?,?,?,?,?,0040419B,0000007E), ref: 0040A69C
        • GetUserDefaultUILanguage.KERNEL32(?,?,?,?,?,0040419B,0000007E), ref: 0040A6A2
          • Part of subcall function 00408E5D: RtlFreeHeap.NTDLL(00000000,00000000,00403218,00000001), ref: 00408E70
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: DescriptorErrorHeapProcessSecurityToken$AddressAdjustAllocateChangeCloseCurrentDaclDefaultFindFreeInitializeLanguageLastLookupModeNotificationOpenPrivilegePrivilegesProcUserValue
        • String ID: `)~$k
        • API String ID: 91126995-4157439176
        • Opcode ID: 62846a18ee4c561c55b07f6769e1f35c0daa9d5010b6047bd2aca4016a5db06d
        • Instruction ID: 569c2e441764a1d2fcf430a05bde310a79f64cd6142c220a7af495d9be03e4ae
        • Opcode Fuzzy Hash: 62846a18ee4c561c55b07f6769e1f35c0daa9d5010b6047bd2aca4016a5db06d
        • Instruction Fuzzy Hash: D641BE71900204EFDB20EFA5DE89D5ABBB8FB05301B10003AF855F36A1CB39A959DF59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040626A Relevance: 12.2, APIs: 8, Instructions: 157memoryinjectionCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 204 40626a-406297 VirtualAllocEx 205 4062b7-4062c5 call 408e3f 204->205 206 406299-4062ae VirtualAllocEx 204->206 208 4062b0-4062b2 205->208 211 4062c7-4062dc call 408e77 205->211 206->205 206->208 209 406411-406415 208->209 214 40634d-406367 VirtualAllocEx 211->214 215 4062de-4062e5 211->215 214->208 216 40636d-4063a3 WriteProcessMemory VirtualProtectEx 214->216 215->214 217 4062e7-4062f3 215->217 218 406405-406410 call 408e5d 216->218 219 4063a5 216->219 220 4062f5-4062fa 217->220 221 4062fc 217->221 218->209 222 4063a8-4063c2 VirtualAllocEx 219->222 223 406300-406305 220->223 221->223 222->208 225 4063c8-406403 WriteProcessMemory VirtualProtectEx 222->225 226 406348-40634b 223->226 225->218 225->222 226->214 228 406307-40630d 226->228 229 406345 228->229 230 40630f-40631a 228->230 229->226 230->229 231 40631c-406324 230->231 232 406340-406343 231->232 233 406326-406334 231->233 232->229 232->231 234 406336-406339 233->234 235 40633b-40633d 233->235 234->235 235->232
        APIs
        • VirtualAllocEx.KERNELBASE(?,?,?,00002000,00000001,00000000,?,?,?,00000001), ref: 0040628C
        • VirtualAllocEx.KERNELBASE(?,00000000,?,00002000,00000001,?,?,?,00000001), ref: 004062A3
        • VirtualAllocEx.KERNELBASE(?,?,?,00001000,00000004,?,?,?,?,00000001), ref: 0040635F
        • WriteProcessMemory.KERNELBASE(?,?,00000001,?,00000000,?,?,?,?,00000001), ref: 00406379
        • VirtualProtectEx.KERNELBASE(?,?,?,00000002,?,?,?,?,?,00000001), ref: 0040638C
        • VirtualAllocEx.KERNELBASE(?,?,?,00001000,00000004,?,?,?,?), ref: 004063B7
        • WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000000,?,?,?,?), ref: 004063D7
        • VirtualProtectEx.KERNELBASE(?,?,?,00000040,?,?,?,?,?), ref: 004063F0
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Virtual$Alloc$MemoryProcessProtectWrite
        • String ID:
        • API String ID: 426431698-0
        • Opcode ID: d064817a36e2a566d1955e863998cfa22f809eb362bacb95ef49f09812ae5509
        • Instruction ID: cf30ec566aef23a6516cff00ecbbac8a86755308a0c85b369bdc1f48885aef95
        • Opcode Fuzzy Hash: d064817a36e2a566d1955e863998cfa22f809eb362bacb95ef49f09812ae5509
        • Instruction Fuzzy Hash: F9519071900209FFDF118F94CD44BAEBBB6FF44304F14807AF906A66A0D775AA60DB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004094EF Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 297 4094ef-409513 call 4094b5 LoadLibraryA 300 409515-409519 297->300 301 409549 297->301 300->301 302 40951b-40953b call 4094b5 GetProcAddress 300->302 303 40954b-40954f 301->303 306 409550-409552 302->306 307 40953d-409547 302->307 306->303 307->301 307->302
        APIs
        • LoadLibraryA.KERNELBASE(00000000,?,?,00000000,?,?,0040A013,00403148,004029F8,0000005F,0040A4EC,?,0040A530,?,?), ref: 00409507
        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409533
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID:
        • API String ID: 2574300362-0
        • Opcode ID: 3fd778ce39eaae46df6f2729904b917be367bab329ad065c4582ac6d1ac3a8b3
        • Instruction ID: a890a3c596a35e7bf56fff37c35e91419960c14d0f395090f90236148d45208c
        • Opcode Fuzzy Hash: 3fd778ce39eaae46df6f2729904b917be367bab329ad065c4582ac6d1ac3a8b3
        • Instruction Fuzzy Hash: 26F08672204204BFEB11AF66ED458AB77ADEB40754310443BFC05E7191EA75DC02C764
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404E7F Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 360stringsynchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 404e7f-404ea2 call 40a517 3 404ea4-404ea9 0->3 4 404eae-404ebf GetCommandLineA 0->4 14 40529b-40529c 3->14 5 404ec1-404edd lstrlen call 40ac74 4->5 6 404f0d-404f2d CreateMutexW GetLastError 4->6 5->6 17 404edf-404ee6 5->17 7 404f33-404f51 call 404def call 4090ce 6->7 8 405287-40528a 6->8 27 404f57-404f5b 7->27 28 40501d-40505b GetModuleFileNameW call 4098b6 lstrcmpiW 7->28 11 405295-40529a 8->11 12 40528c-40528f CloseHandle 8->12 11->14 12->11 20 404f04-404f0c call 408ef2 17->20 21 404ee8-404eee 17->21 20->6 24 404ef0-404ef4 21->24 25 404eff-404f02 21->25 24->25 29 404ef6-404ef9 24->29 25->20 25->21 31 404f90-404fbb call 4090f0 27->31 32 404f5d-404f7c call 4090f0 27->32 38 405061-4050b7 call 4099fb call 409672 CopyFileW SetFileAttributesW CreateFileW 28->38 39 4051ce-4051d6 call 4099fb 28->39 29->25 33 404efb 29->33 41 404fcc-404fe6 call 4090f0 call 4090ce 31->41 42 404fbd-404fca call 4090f0 31->42 32->31 45 404f7e-404f8b CloseHandle 32->45 33->25 65 4051bd-4051cc SetFileAttributesW 38->65 66 4050bd-4050ca SetFilePointer 38->66 51 4051d7-4051da 39->51 69 404ffe-405000 41->69 55 405002-405009 42->55 45->28 56 405200-405233 call 40a8b2 call 406a2e 51->56 57 4051dc-4051df 51->57 55->28 60 40500b-40501c call 409672 call 408e5d 55->60 84 405250-405252 56->84 61 4051e5-4051fb call 4090f0 57->61 62 405286 57->62 60->28 61->62 62->8 65->51 71 4050cc-4050e0 call 4096da 66->71 72 40513d-405183 SHGetSpecialFolderPathW PathCombineW CreateFileW 66->72 69->55 78 404fe8-404ffd Sleep call 4090ce 69->78 85 4050f0 71->85 86 4050e2-4050ee call 408e3f 71->86 73 4051b4-4051b7 CloseHandle 72->73 74 405185-4051ae GetFileTime SetFileTime FindCloseChangeNotification 72->74 73->65 74->73 78->69 90 405254 84->90 91 405235-405248 Sleep call 406a2e 84->91 92 4050f2-4050f4 85->92 86->92 95 40525e-40526e call 4090ce 90->95 97 40524d 91->97 92->72 96 4050f6-4050fa 92->96 104 405270-405285 call 40ae7a call 4049d1 call 404a8d call 4032fd 95->104 105 405256-405258 Sleep 95->105 99 4050fc-40511b call 4096da * 2 96->99 100 40511d-405137 WriteFile FlushFileBuffers call 408e5d 96->100 97->84 99->100 107 40513c 100->107 104->62 105->95 107->72
        APIs
        • GetCommandLineA.KERNEL32 ref: 00404EB5
        • lstrlen.KERNEL32(00000000,?,00000000,0000000A), ref: 00404EC9
        • CreateMutexW.KERNELBASE(0040FE78,00000001,?), ref: 00404F1C
        • GetLastError.KERNEL32 ref: 00404F25
        • CloseHandle.KERNEL32(?), ref: 00404F81
        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040502B
        • lstrcmpiW.KERNEL32(?,?), ref: 0040504C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCommandCreateErrorFileHandleLastLineModuleMutexNamelstrcmpilstrlen
        • String ID: `)~
        • API String ID: 4203948586-1148047842
        • Opcode ID: 7e7b50fe9c7b01f7377e947945100a4544123866d820edeeb53b480940eaf77b
        • Instruction ID: 048e9c1da063a1cb62257d295fb5e1745265c4545e90ea40e237b78bc45ce99b
        • Opcode Fuzzy Hash: 7e7b50fe9c7b01f7377e947945100a4544123866d820edeeb53b480940eaf77b
        • Instruction Fuzzy Hash: D0C157B1900209AFDB21ABA4DD89EAF777CEF04304F14407AF601B65D2DA399E449F69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004099FB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 152registrystringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 148 4099fb-409a36 lstrlenW RegCreateKeyExW 149 409a3c-409a6c RegQueryValueExW call 408e3f 148->149 150 409b3f-409b5f RegCreateKeyExW 148->150 155 409a72-409a8c RegQueryValueExW 149->155 156 409b2f-409b3a RegCloseKey 149->156 152 409b61-409b82 RegSetValueExW RegCloseKey 150->152 153 409b88-409b8e 150->153 152->153 157 409a8e-409a94 155->157 156->153 158 409b3c 156->158 159 409a96-409a9a 157->159 160 409a9c-409aa5 157->160 158->150 159->160 161 409abb-409abe 159->161 162 409aa7-409ab6 StrCmpNIW 160->162 163 409ab8 160->163 164 409ac0-409ac2 161->164 165 409ac8-409ad3 lstrlenW 161->165 162->163 166 409ac4-409ac6 162->166 163->161 164->157 168 409ae4-409b26 lstrcpyW * 2 RegSetValueExW 165->168 169 409ad5-409adb 165->169 167 409b28-409b2e call 408e5d 166->167 167->156 168->167 169->168 170 409add-409ae3 169->170 170->168
        APIs
        • lstrlenW.KERNEL32(?,?,00000000,00000000), ref: 00409A09
        • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,00000000,00000000), ref: 00409A2E
        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00409A51
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00409A84
        • StrCmpNIW.SHLWAPI(00000002,?,?,?,00000000,00000000), ref: 00409AAE
        • lstrlenW.KERNEL32(00000000,?,00000000,00000000), ref: 00409AC9
        • lstrcpyW.KERNEL32(00000000,?), ref: 00409AEB
        • lstrcpyW.KERNEL32(00000000,004030FC), ref: 00409AFD
        • RegSetValueExW.KERNELBASE(?,?,00000000,00000001,00000000,?,?,00000000,00000000), ref: 00409B18
        • RegCloseKey.KERNELBASE(?,?,00000000,00000000), ref: 00409B32
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000,?,00000000,00000000), ref: 00409B57
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000002,?,00000000,00000000), ref: 00409B77
        • RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 00409B82
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Value$CloseCreateQuerylstrcpylstrlen$AllocateHeap
        • String ID: `)~
        • API String ID: 2792512604-1148047842
        • Opcode ID: a675439f1fd2f4cd77e04f7cae2a8a76f8de324d6698f201cfb711a22d8d9f9b
        • Instruction ID: 0895aedce296270a77174d82a715da2027adffcc2370f7175600bf4cc340d008
        • Opcode Fuzzy Hash: a675439f1fd2f4cd77e04f7cae2a8a76f8de324d6698f201cfb711a22d8d9f9b
        • Instruction Fuzzy Hash: 2D515836600114FBCB209BA5DD48E9B7FB9FF09750B004076F505E62A1D771AA48DFA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404DEF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49processstringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 236 404def-404e22 CreateToolhelp32Snapshot Process32FirstW 237 404e72-404e7e FindCloseChangeNotification 236->237 238 404e24 236->238 239 404e25-404e2d 238->239 240 404e5f-404e6f Process32NextW 239->240 241 404e2f-404e52 lstrcmpiW 239->241 240->239 244 404e71 240->244 242 404e54-404e59 241->242 243 404e5d 241->243 242->241 245 404e5b 242->245 243->240 244->237 245->240
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00404E0A
        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00404E1A
        • lstrcmpiW.KERNELBASE(?,007E2960), ref: 00404E4A
        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00404E67
        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404E73
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
        • String ID: `)~
        • API String ID: 545148253-1148047842
        • Opcode ID: 0ccfea488853e9d7dc9dc11693c35662186fa7699c993cdff639c30b4eefb95f
        • Instruction ID: 1d27e542a9a78c881dba18652aa404f077afe9ea18edcd3536c1a674110c0989
        • Opcode Fuzzy Hash: 0ccfea488853e9d7dc9dc11693c35662186fa7699c993cdff639c30b4eefb95f
        • Instruction Fuzzy Hash: 4E017C71501124ABD7216BB1EE4CBBBB7B9BB85B01F104076E502F2591DA788849DBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406A2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53threadinjectionCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 246 406a2e-406a3f 247 406a41-406a47 246->247 248 406a62-406a78 call 40626a 246->248 249 406a49-406a5c OpenProcess 247->249 250 406a5e-406a60 247->250 254 406a96-406a99 248->254 255 406a7a-406a90 CreateRemoteThread FindCloseChangeNotification 248->255 249->248 249->250 252 406aa8-406aab 250->252 256 406aa2-406aa5 254->256 257 406a9b-406a9c CloseHandle 254->257 255->254 256->252 257->256
        APIs
        • OpenProcess.KERNEL32(001F0FFF,00000000,?,00405464,00000000,?,?,00405230,-0000A820,00000000,00000000,007E2960), ref: 00406A52
        • CreateRemoteThread.KERNELBASE(`)~,00000000,00000000,00000000,00000000,00000000,?), ref: 00406A89
        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00406A90
        • CloseHandle.KERNEL32(`)~), ref: 00406A9C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Close$ChangeCreateFindHandleNotificationOpenProcessRemoteThread
        • String ID: `)~
        • API String ID: 691009747-1148047842
        • Opcode ID: dc7b626f0e89dafe133c1323db1fd9b351a1029be70b14c216f966a332f887e7
        • Instruction ID: 94450d9ef640d6e64f4bf3a0fb7a96e06daf2d45f45b76bcc73d28cd7780e7a8
        • Opcode Fuzzy Hash: dc7b626f0e89dafe133c1323db1fd9b351a1029be70b14c216f966a332f887e7
        • Instruction Fuzzy Hash: DD019271A04218BFDF20AFA49C859EE376DEF06355B05C07AF902B2240D2799E598B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409C7D Relevance: 7.6, APIs: 5, Instructions: 62COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 258 409c7d-409c9a OpenProcessToken 259 409d14-409d18 258->259 260 409c9c-409cbe GetTokenInformation call 408e3f 258->260 263 409cc0-409cd5 GetTokenInformation 260->263 264 409d0a-409d13 FindCloseChangeNotification 260->264 265 409d03-409d09 call 408e5d 263->265 266 409cd7-409cff LookupAccountSidW 263->266 264->259 265->264 266->265 267 409d01 266->267 267->265
        APIs
        • OpenProcessToken.ADVAPI32(?,00000008,?,00000000), ref: 00409C92
        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00409CAB
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00409CCD
        • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000000,?,00000000,?), ref: 00409CF7
        • FindCloseChangeNotification.KERNELBASE(?), ref: 00409D0D
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Token$Information$AccountAllocateChangeCloseFindHeapLookupNotificationOpenProcess
        • String ID:
        • API String ID: 3037326660-0
        • Opcode ID: 5ef136ff0d434822cbec266c7058ffad6ac0fbdaa85377924f84bd18885abd10
        • Instruction ID: 0e9efccac24f11f841e01355a019ece753660ba40c4a8bc9667a634c56784195
        • Opcode Fuzzy Hash: 5ef136ff0d434822cbec266c7058ffad6ac0fbdaa85377924f84bd18885abd10
        • Instruction Fuzzy Hash: EF11B676940108BEDB21AFA0DD89EDEBB7DEF04344F104076B941F2191DB759F449BA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004130DD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 270 4130dd-413106 272 413108-41310d 270->272 273 413122-413127 272->273 274 41310f-413118 272->274 273->272 274->273 275 41311a-413120 274->275 275->273 276 413129-41313f 275->276 277 413141-413144 276->277 278 413146-41314f 277->278 279 413150-413159 278->279 279->279 280 41315b-41315c 279->280 281 41315d-413163 280->281 282 413165-413167 281->282 283 41316e-413174 281->283 284 413169-41316c 282->284 285 413178-4131a2 282->285 283->278 286 413176-4131d7 VirtualProtect 283->286 284->281 285->277 288 4131dc-413213 VirtualProtect call 41321d 286->288 291 413215 288->291 293 41321a call 409800 291->293 294 41321a call 409672 291->294 295 41321a call 404e7f 291->295 296 41321a call 408e3f 291->296 292 41321c 293->292 294->292 295->292 296->292
        APIs
        • VirtualProtect.KERNELBASE(Function_00000000,00001000,00000040,?,00000000,00000000,00000000,00000000,00000000,00000000,D66358EC,15F8EF80,71E40722,5D7574B6,0000FFFF), ref: 004131BF
        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,00000000,00000000,00000000,00000000,00000000,00000000,D66358EC,15F8EF80,71E40722,5D7574B6,0000FFFF), ref: 004131F2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ProtectVirtual
        • String ID: .dwp$.pwz
        • API String ID: 544645111-713379376
        • Opcode ID: 6d6dac34e2eb6e6e36dc5171e9029cd81c0b2b1b0b4923160330b4e93d6281be
        • Instruction ID: 8cb9849984a40c31a0c02f26d5540851e7fde0497f6d44c4019c6c11239c852f
        • Opcode Fuzzy Hash: 6d6dac34e2eb6e6e36dc5171e9029cd81c0b2b1b0b4923160330b4e93d6281be
        • Instruction Fuzzy Hash: BA310D71600101BBD710DE18CC40BAA73D6FF86325F298179F949AB385D778AD82979D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409672 Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 308 409672-40968d SetFileAttributesW DeleteFileW
        APIs
        • SetFileAttributesW.KERNELBASE(0040B3E5,00000020,0040B3E5,?), ref: 00409678
        • DeleteFileW.KERNELBASE(?), ref: 00409682
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$AttributesDelete
        • String ID:
        • API String ID: 2910425767-0
        • Opcode ID: 0476b923c984120b2289ecc477f2f37636af48e8dd444778f185069a93637448
        • Instruction ID: 8bfe6b3e6b9a163c05126bc564a742466d08fc3a97ff826d5790fac9af29988b
        • Opcode Fuzzy Hash: 0476b923c984120b2289ecc477f2f37636af48e8dd444778f185069a93637448
        • Instruction Fuzzy Hash: EAC04C30104B01EBD6111B30DF0DB0D7A65BF45681F008434B146984B0D7318855AA05
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409800 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 309 409800-409827 SHGetSpecialFolderPathW
        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,004099C5,?), ref: 00409821
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FolderPathSpecial
        • String ID:
        • API String ID: 994120019-0
        • Opcode ID: c6d1365e8ece46a2e5ee5aeb2f6e9546b2a1b98c81cb3b80149470246f3a9a75
        • Instruction ID: 7c18549ae31d16da77646f837029e96433fb233fea7622f3bf567d1fa8472607
        • Opcode Fuzzy Hash: c6d1365e8ece46a2e5ee5aeb2f6e9546b2a1b98c81cb3b80149470246f3a9a75
        • Instruction Fuzzy Hash: 31D0C972250600AFFA098B64DDBBF663374E745B10F55063CB522991E0E2B568548A29
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408E3F Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 310 408e3f-408e45 311 408e47-408e59 RtlAllocateHeap 310->311 312 408e5a-408e5c 310->312
        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 153230611b84f9af949ae492a1846f76ae2264c82824b3621081eb1c9167647d
        • Instruction ID: fb15e7315c71f495766428bb22374a787ac2416763aa6c35e3345758e15a4523
        • Opcode Fuzzy Hash: 153230611b84f9af949ae492a1846f76ae2264c82824b3621081eb1c9167647d
        • Instruction Fuzzy Hash: 18C04C71754500ABEF306B24DE06B1B36A9BB54B01F848975B845E16A0DB34DC05A614
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408E5D Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 313 408e5d-408e62 314 408e64-408e70 RtlFreeHeap 313->314 315 408e76 313->315 314->315
        APIs
        • RtlFreeHeap.NTDLL(00000000,00000000,00403218,00000001), ref: 00408E70
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FreeHeap
        • String ID:
        • API String ID: 3298025750-0
        • Opcode ID: f4e7009dbbd1061a5bcc55f799d7324a4ccd5b74a3b43258cf080074e877feea
        • Instruction ID: 53876d8f20b37a4f69c97ea7962a58e093f26c481401424f53aaea062c0160a9
        • Opcode Fuzzy Hash: f4e7009dbbd1061a5bcc55f799d7324a4ccd5b74a3b43258cf080074e877feea
        • Instruction Fuzzy Hash: 44C04830508200EBEE229B54DF09B0A7AA1AB94B05F408438B589708F08A75485AEA09
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00419474 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 373libraryloaderstringCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(?,?), ref: 0041948C
        • GetProcAddress.KERNEL32(00000000,?), ref: 004194A0
        • GetProcAddress.KERNEL32(00000000,?), ref: 004194B5
        • GetProcAddress.KERNEL32(00000000,?), ref: 004194CA
        • GetProcAddress.KERNEL32(00000000,?), ref: 004194DF
        • GetProcAddress.KERNEL32(00000000,?), ref: 004194F4
        • GetProcAddress.KERNEL32(00000000,?), ref: 00419509
        • GetProcAddress.KERNEL32(00000000,?), ref: 0041951E
        • LoadLibraryA.KERNEL32(?), ref: 0041957A
        • GetProcAddress.KERNEL32(00000000,?), ref: 0041958E
        • LoadLibraryA.KERNEL32(?), ref: 004195B2
        • GetProcAddress.KERNEL32(00000000,?), ref: 004195C6
        • GetProcAddress.KERNEL32(00000000,?), ref: 004195DB
        • GetProcAddress.KERNEL32(00000000,?), ref: 004195F0
        • GetProcAddress.KERNEL32(00000000,?), ref: 00419605
        • GetProcAddress.KERNEL32(00000000,?), ref: 0041961A
        • GetProcAddress.KERNEL32(00000000,?), ref: 0041962F
        • GetProcAddress.KERNEL32(00000000,?), ref: 00419644
        • GetProcAddress.KERNEL32(00000000,?), ref: 00419659
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • lstrcmpiW.KERNEL32(?,?), ref: 0041983F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad$AllocateHeaplstrcmpi
        • String ID: `)~
        • API String ID: 517328672-1148047842
        • Opcode ID: 652ec4d4e57ac2cc2702d35a9bb0dacf3ec9b544ad820128a7d89c360fca8465
        • Instruction ID: b91fc7d50b67805f92cbdf4848a359178ef99cc1ee00ed2b325b5c69ace2a62d
        • Opcode Fuzzy Hash: 652ec4d4e57ac2cc2702d35a9bb0dacf3ec9b544ad820128a7d89c360fca8465
        • Instruction Fuzzy Hash: 53E1CD71511208EFDB21DFA4DE98AEE7BB9FB48741F04403AF90992220D7359885DF98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00415EDE Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 137filesynchronizationCOMMON
        Download Yara Rule
        APIs
        • PathCombineW.SHLWAPI(?,?,0040103C), ref: 00415EF7
        • FindFirstFileW.KERNEL32(?,?), ref: 00415F14
        • PathCombineW.SHLWAPI(?,?,0000002E), ref: 00415F78
        • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00415F89
        • FindNextFileW.KERNEL32(?,00000010), ref: 004160AF
        • FindClose.KERNEL32(?), ref: 004160C0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Find$CombineFilePath$CloseFirstNextObjectSingleWait
        • String ID: .$.$`)~
        • API String ID: 3352328711-1952349027
        • Opcode ID: c8106b10c564cf95f8a2e349167942b83d46a8b232c01c1a36a580fe0a694490
        • Instruction ID: 3ae02db0bc70ec60cf7f2e2e8236cce77149f8219447731bdacff0d454b155e9
        • Opcode Fuzzy Hash: c8106b10c564cf95f8a2e349167942b83d46a8b232c01c1a36a580fe0a694490
        • Instruction Fuzzy Hash: FF512071800619EFDF30DFA0DD89ADABBB8AF08315F0040B6E509A2561D735EAC9DF19
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403BEC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 137filesynchronizationCOMMON
        Download Yara Rule
        APIs
        • PathCombineW.SHLWAPI(?,?,0040103C), ref: 00403C05
        • FindFirstFileW.KERNEL32(?,?), ref: 00403C22
        • PathCombineW.SHLWAPI(?,?,0000002E), ref: 00403C86
        • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00403C97
        • FindNextFileW.KERNEL32(?,00000010), ref: 00403DBD
        • FindClose.KERNEL32(?), ref: 00403DCE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Find$CombineFilePath$CloseFirstNextObjectSingleWait
        • String ID: .$.$`)~
        • API String ID: 3352328711-1952349027
        • Opcode ID: c8106b10c564cf95f8a2e349167942b83d46a8b232c01c1a36a580fe0a694490
        • Instruction ID: 619388a0b50673b2c2c5159949fb4f1acd1455b2ed631c7dd4566b60e6510161
        • Opcode Fuzzy Hash: c8106b10c564cf95f8a2e349167942b83d46a8b232c01c1a36a580fe0a694490
        • Instruction Fuzzy Hash: 7251433190461DAFDF20DFA0DD89E9A7BBCAF04306F0040B7E505B21A1D739AB899F58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041C809 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132libraryloaderCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,0041648D,0000007E,LoadLibraryA), ref: 0041C8B9
        • GetProcAddress.KERNEL32(?), ref: 0041C8E2
        • InitializeSecurityDescriptor.ADVAPI32(0040FCE0,00000001,?,?,?,?,?,0041648D,0000007E), ref: 0041C8FD
        • SetSecurityDescriptorDacl.ADVAPI32(0040FCE0,00000001,00000000,00000000,?,?,?,?,?,0041648D,0000007E), ref: 0041C907
        • OpenProcessToken.ADVAPI32(00000028,0000007E,?,?,?,?,?,0041648D,0000007E), ref: 0041C92F
        • LookupPrivilegeValueW.ADVAPI32(00000000,?,00000001), ref: 0041C946
        • AdjustTokenPrivileges.ADVAPI32(0000007E,00000000,?,00000010,00000000,00000000), ref: 0041C972
        • GetLastError.KERNEL32 ref: 0041C978
        • CloseHandle.KERNEL32(0000007E,?,?,?,?,?,0041648D,0000007E), ref: 0041C98E
        • GetUserDefaultUILanguage.KERNEL32(?,?,?,?,?,0041648D,0000007E), ref: 0041C994
          • Part of subcall function 0041B14F: HeapFree.KERNEL32(00000000,00000000,0041550A,00000001), ref: 0041B162
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: DescriptorHeapProcessSecurityToken$AddressAdjustAllocateCloseCurrentDaclDefaultErrorFreeHandleInitializeLanguageLastLookupOpenPrivilegePrivilegesProcUserValue
        • String ID: `)~$k
        • API String ID: 3114487565-4157439176
        • Opcode ID: f95f4e6bfea1ed4e9e22add3d6ce27121d6f218898c24e099b8a2bb127b8bc1b
        • Instruction ID: 82bbdcee33305cef79b1ddb2d717986bff5685fe547f98c2c04ec62b972fd467
        • Opcode Fuzzy Hash: f95f4e6bfea1ed4e9e22add3d6ce27121d6f218898c24e099b8a2bb127b8bc1b
        • Instruction Fuzzy Hash: F5419371900605EFDB20EFA5DE89D9ABBB8FF45301B10003AF855E3661D774A988DF98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041CD7B Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101processCOMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000), ref: 0041CDD5
        • OpenProcessToken.ADVAPI32(00000000,0000000B,?,?,00000000), ref: 0041CDE8
        • DuplicateTokenEx.ADVAPI32(?,0000000B,00000000,00000002,00000001,?,?,00000000), ref: 0041CE00
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0041CE10
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041CE17
        • CreateProcessAsUserW.ADVAPI32(?,00000000,00415B0C,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000000), ref: 0041CE39
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0041CE44
        • CreateProcessW.KERNEL32(00000000,00415B0C,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000000), ref: 0041CE60
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0041CE6F
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0041CE78
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseHandle$Process$CreateOpenToken$DuplicateUser
        • String ID: D
        • API String ID: 2747011430-2746444292
        • Opcode ID: f3c7db3c79abc7c2eff48aafbe17ff33fb57cd70352256e0a4236e079195607a
        • Instruction ID: 7a4b44cd0ef24d4f70b6e03c9c283dc7add8f3d9692b78bba5803b03cf066e83
        • Opcode Fuzzy Hash: f3c7db3c79abc7c2eff48aafbe17ff33fb57cd70352256e0a4236e079195607a
        • Instruction Fuzzy Hash: E931EB72940208AFDF219FE0DD889DEBBB9FF08341F144036FA06E6560D7358A95DB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00415492 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 121encryptiontimeCOMMON
        Download Yara Rule
        APIs
        • CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 004154A6
        • PFXExportCertStore.CRYPT32(00000000,?,?,00000004), ref: 004154C6
        • PFXExportCertStore.CRYPT32(00000000,00000200,00000200,00000004), ref: 00415544
        • GetSystemTime.KERNEL32(?), ref: 00415556
        • wnsprintfW.SHLWAPI ref: 00415582
        • CertDuplicateCertificateContext.CRYPT32(00000000), ref: 004155B7
        • CertDeleteCRLFromStore.CRYPT32(00000000), ref: 004155C2
        • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004155CA
        • CertCloseStore.CRYPT32(00000000,00000000), ref: 004155E2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Cert$Store$ExportSystem$CertificateCertificatesCloseContextDeleteDuplicateEnumFromOpenTimewnsprintf
        • String ID: `)~
        • API String ID: 2462860939-1148047842
        • Opcode ID: 5b65d919acd03c798dc085ce9f49651b907348f2961cfc6e4b2fc18423edfa0c
        • Instruction ID: 53c76ca448f65a05b653e38acf08b4b061df82b13351cec9e9c7449de6fa4c2f
        • Opcode Fuzzy Hash: 5b65d919acd03c798dc085ce9f49651b907348f2961cfc6e4b2fc18423edfa0c
        • Instruction Fuzzy Hash: 6F417471804209FFDF219FA4DC85AEE7BBAFF48354F004476F905A2150DB398A898B68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004031A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 121encryptiontimeCOMMON
        Download Yara Rule
        APIs
        • CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 004031B4
        • PFXExportCertStore.CRYPT32(00000000,?,?,00000004), ref: 004031D4
        • PFXExportCertStore.CRYPT32(00000000,00000200,00000200,00000004), ref: 00403252
        • GetSystemTime.KERNEL32(?), ref: 00403264
        • wnsprintfW.SHLWAPI ref: 00403290
        • CertDuplicateCertificateContext.CRYPT32(00000000), ref: 004032C5
        • CertDeleteCRLFromStore.CRYPT32(00000000), ref: 004032D0
        • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004032D8
        • CertCloseStore.CRYPT32(00000000,00000000), ref: 004032F0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Cert$Store$ExportSystem$CertificateCertificatesCloseContextDeleteDuplicateEnumFromOpenTimewnsprintf
        • String ID: `)~
        • API String ID: 2462860939-1148047842
        • Opcode ID: ea4abe4f904a8856036a8cbc710f564e9ac35673c071382e2441133059c6bb37
        • Instruction ID: 7c462380c98a53c20b32ab48d75dc47cfc4e19e4fd32435508495ea7e725e6d2
        • Opcode Fuzzy Hash: ea4abe4f904a8856036a8cbc710f564e9ac35673c071382e2441133059c6bb37
        • Instruction Fuzzy Hash: D6416171904249BFDF219FA5DD85AAE7FBCAB04315F0044BAF904F2190DB398A498B68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041C0C3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74fileCOMMON
        Download Yara Rule
        APIs
        • PathCombineW.SHLWAPI(?,?,0040103C), ref: 0041C0DD
        • FindFirstFileW.KERNEL32(?,?), ref: 0041C0F1
        • PathMatchSpecW.SHLWAPI(?,ymA), ref: 0041C145
        • PathCombineW.SHLWAPI(?,?,0000002E), ref: 0041C160
        • FindNextFileW.KERNEL32(00000000,?), ref: 0041C193
        • FindClose.KERNEL32(00000000), ref: 0041C1A2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FindPath$CombineFile$CloseFirstMatchNextSpec
        • String ID: .$.$ymA
        • API String ID: 1774936002-1171932320
        • Opcode ID: d5eaae78f039f491236a5386cb4a06609b157d4ed1d19a3c4d9639ee126e668d
        • Instruction ID: 9173dfc8772848535e9bd63ef705b591e4255a357e86c5ec58f554e68bd13d96
        • Opcode Fuzzy Hash: d5eaae78f039f491236a5386cb4a06609b157d4ed1d19a3c4d9639ee126e668d
        • Instruction Fuzzy Hash: 38219571980118BBDF30ABA0DD8CADA77BCBB04755F0000B6E508B2152DB789AC98E5C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041D959 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95sleepfilesynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BAF2: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,0041BCB7,?), ref: 0041BB13
        • PathCombineW.SHLWAPI(?,?,007E2960), ref: 0041D982
        • FindClose.KERNEL32(00000000), ref: 0041D995
        • PathCombineW.SHLWAPI(?,?,?), ref: 0041D9B0
        • Sleep.KERNEL32(?), ref: 0041D9D9
        • PathCombineW.SHLWAPI(?,?,?), ref: 0041D9F8
        • FindFirstFileW.KERNEL32(?,?), ref: 0041DA0C
        • WaitForSingleObject.KERNEL32(0001D4C0), ref: 0041DA9B
          • Part of subcall function 00418340: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004183C1
          • Part of subcall function 00418340: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004183FB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$Combine$FindInternet$CloseConnectCrackFileFirstFolderObjectSingleSleepSpecialWait
        • String ID: `)~
        • API String ID: 2679617673-1148047842
        • Opcode ID: f40762a05d9fc3cd888c5a6c7f3a7f4b334abffaf4d365cc786b7c14d58c153d
        • Instruction ID: 0312c9762d677fa5a48c7b08e0c4a0fa9318728ae8128673b9fb2392ed8c6d39
        • Opcode Fuzzy Hash: f40762a05d9fc3cd888c5a6c7f3a7f4b334abffaf4d365cc786b7c14d58c153d
        • Instruction Fuzzy Hash: 2F315BB2904258AFDB25DBA4DD88EDB777CAB05304F1400B7E149A3551DB38AA88CF59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B667 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95sleepfilesynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00409800: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,004099C5,?), ref: 00409821
        • PathCombineW.SHLWAPI(?,?,007E2960), ref: 0040B690
        • FindClose.KERNEL32(00000000), ref: 0040B6A3
        • PathCombineW.SHLWAPI(?,?,?), ref: 0040B6BE
        • Sleep.KERNEL32(?), ref: 0040B6E7
        • PathCombineW.SHLWAPI(?,?,?), ref: 0040B706
        • FindFirstFileW.KERNEL32(?,?), ref: 0040B71A
        • WaitForSingleObject.KERNEL32(0001D4C0), ref: 0040B7A9
          • Part of subcall function 0040604E: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004060CF
          • Part of subcall function 0040604E: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406109
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$Combine$FindInternet$CloseConnectCrackFileFirstFolderObjectSingleSleepSpecialWait
        • String ID: `)~
        • API String ID: 2679617673-1148047842
        • Opcode ID: d79cea2749c4e083463c006bfbd6d85ba86eafbf53d22d1fbbdfbdac7b013806
        • Instruction ID: 5f43e401ec48589a41b72bc82dc5f261f84a9ae932111f1c4f25d35c3a8ebf53
        • Opcode Fuzzy Hash: d79cea2749c4e083463c006bfbd6d85ba86eafbf53d22d1fbbdfbdac7b013806
        • Instruction Fuzzy Hash: C0316972901248AFDB20DBA4DD88EDB77BCAB05304F1404B7E549B3591DB38AA88CF59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409DD1 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 74fileCOMMON
        Download Yara Rule
        APIs
        • PathCombineW.SHLWAPI(?,?,0040103C), ref: 00409DEB
        • FindFirstFileW.KERNEL32(?,?), ref: 00409DFF
        • PathMatchSpecW.SHLWAPI(0000002E,00404A87), ref: 00409E53
        • PathCombineW.SHLWAPI(?,?,0000002E), ref: 00409E6E
        • FindNextFileW.KERNEL32(00000000,?), ref: 00409EA1
        • FindClose.KERNEL32(00000000), ref: 00409EB0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FindPath$CombineFile$CloseFirstMatchNextSpec
        • String ID: .$.
        • API String ID: 1774936002-3769392785
        • Opcode ID: adbf9b4d2e01a8d0768536955d36fe0409b937e196156ef27faeda2a4e7635bf
        • Instruction ID: 0b84655d2de00a3d32378678d11eab2b6c236595dff2bdf6a2f06f5cb92ea9bd
        • Opcode Fuzzy Hash: adbf9b4d2e01a8d0768536955d36fe0409b937e196156ef27faeda2a4e7635bf
        • Instruction Fuzzy Hash: 19216571900119AADF30EBA0DD4DEDB777CAB44355F0400BAE509B21D3DB789EC98A9C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041C694 Relevance: 13.6, APIs: 9, Instructions: 85synchronizationpipethreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B213: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 0041B21C
          • Part of subcall function 0041B213: lstrcpyW.KERNEL32(?,?), ref: 0041B22A
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00000200,00000200,00000000,00000000,0040F3D0,00000000), ref: 0041C6DE
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041C6F8
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041C705
        • CreateThread.KERNEL32(00000000,00000000,Function_00008F40,00000000,00000000,00000000), ref: 0041C72A
        • CloseHandle.KERNEL32(00000000), ref: 0041C736
        • CloseHandle.KERNEL32(?), ref: 0041C73F
        • CloseHandle.KERNEL32(?), ref: 0041C748
          • Part of subcall function 0041B14F: HeapFree.KERNEL32(00000000,00000000,0041550A,00000001), ref: 0041B162
        • CloseHandle.KERNEL32(00000000), ref: 0041C760
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041C76B
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateHandle$EventHeaplstrcpy$AllocateFreeNamedObjectPipeSingleThreadWait
        • String ID:
        • API String ID: 2368775089-0
        • Opcode ID: 762d883c706d1b313f2bb04201a84eeb6cfc1364f97969d2a042d82618bfb058
        • Instruction ID: 9b09c9e2a6239177aa126b8cddac3699309e6e72638b9caad0ddb714b62bb741
        • Opcode Fuzzy Hash: 762d883c706d1b313f2bb04201a84eeb6cfc1364f97969d2a042d82618bfb058
        • Instruction Fuzzy Hash: 9021A931140201BBCB306F32DD4DD9B7BB9EFC2B61B10453EF5A6E15A0DB7894848BA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041DCCB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91filestringsynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041D16C: PathCombineW.SHLWAPI(?,007E2960,?), ref: 0041D195
          • Part of subcall function 0041D16C: PathCombineW.SHLWAPI(004100B0,004100B0,?), ref: 0041D1A4
          • Part of subcall function 0041D16C: GetModuleFileNameA.KERNEL32(00000000,0040FE90,00000103), ref: 0041D1BD
          • Part of subcall function 0041D16C: GetTimeZoneInformation.KERNEL32(?), ref: 0041D1CC
          • Part of subcall function 0041D16C: GetVersionExW.KERNEL32(0040FF98), ref: 0041D20E
          • Part of subcall function 0041D16C: lstrlenW.KERNEL32(0040FFAC), ref: 0041D219
        • lstrcpyW.KERNEL32(?,00000000), ref: 0041DCE8
        • lstrcatW.KERNEL32(?,?), ref: 0041DCFD
        • FindFirstFileW.KERNEL32(?,?), ref: 0041DD21
        • FindFirstFileW.KERNEL32(?,?), ref: 0041DD36
        • FindClose.KERNEL32(00000000), ref: 0041DD4D
        • WaitForSingleObject.KERNEL32(0001D4C0), ref: 0041DE01
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FileFind$CombineFirstPath$CloseInformationModuleNameObjectSingleTimeVersionWaitZonelstrcatlstrcpylstrlen
        • String ID: `)~
        • API String ID: 3744032737-1148047842
        • Opcode ID: 38817816f5755b107568231c3a3d9ea54295d60573dea1b93d796460c9c69bc9
        • Instruction ID: 8ef6ee458f3811208a8bf35609c91f3e718a59acd6e7eee897d13ecf0bc9386d
        • Opcode Fuzzy Hash: 38817816f5755b107568231c3a3d9ea54295d60573dea1b93d796460c9c69bc9
        • Instruction Fuzzy Hash: 34314FB1C043589BCF71DFA4ED84ADA7B78AF04714F1401BAE509A3591D7389AC9CF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B9D9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91filestringsynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040AE7A: PathCombineW.SHLWAPI(?,007E2960,?), ref: 0040AEA3
          • Part of subcall function 0040AE7A: PathCombineW.SHLWAPI(004100B0,004100B0,?), ref: 0040AEB2
          • Part of subcall function 0040AE7A: GetModuleFileNameA.KERNEL32(00000000,0040FE90,00000103), ref: 0040AECB
          • Part of subcall function 0040AE7A: GetTimeZoneInformation.KERNEL32(?), ref: 0040AEDA
          • Part of subcall function 0040AE7A: GetVersionExW.KERNEL32(0040FF98), ref: 0040AF1C
          • Part of subcall function 0040AE7A: lstrlenW.KERNEL32(0040FFAC), ref: 0040AF27
        • lstrcpyW.KERNEL32(?,00000000), ref: 0040B9F6
        • lstrcatW.KERNEL32(?,?), ref: 0040BA0B
        • FindFirstFileW.KERNEL32(?,?), ref: 0040BA2F
        • FindFirstFileW.KERNEL32(?,?), ref: 0040BA44
        • FindClose.KERNEL32(00000000), ref: 0040BA5B
        • WaitForSingleObject.KERNEL32(0001D4C0), ref: 0040BB0F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FileFind$CombineFirstPath$CloseInformationModuleNameObjectSingleTimeVersionWaitZonelstrcatlstrcpylstrlen
        • String ID: `)~
        • API String ID: 3744032737-1148047842
        • Opcode ID: 92a679094aac9a622d12bd4868030702e6364419c90cd70be7f7e9c6e46ecc61
        • Instruction ID: 2978f65cd4e069ce64fe7f32c00193941f7a66ec4641a41b31c2717cd4a1711e
        • Opcode Fuzzy Hash: 92a679094aac9a622d12bd4868030702e6364419c90cd70be7f7e9c6e46ecc61
        • Instruction Fuzzy Hash: 0A316D719043589BCF71DF64DD84ADA7BB8EF04310F1401BAE509B3691D7389A89CF98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041D16C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61stringtimeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BAF2: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,0041BCB7,?), ref: 0041BB13
        • PathCombineW.SHLWAPI(?,007E2960,?), ref: 0041D195
        • PathCombineW.SHLWAPI(004100B0,004100B0,?), ref: 0041D1A4
        • GetModuleFileNameA.KERNEL32(00000000,0040FE90,00000103), ref: 0041D1BD
        • GetTimeZoneInformation.KERNEL32(?), ref: 0041D1CC
        • GetVersionExW.KERNEL32(0040FF98), ref: 0041D20E
        • lstrlenW.KERNEL32(0040FFAC), ref: 0041D219
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$Combine$FileFolderInformationModuleNameSpecialTimeVersionZonelstrlen
        • String ID: `)~
        • API String ID: 1803189752-1148047842
        • Opcode ID: b2afc47b35419bcbf5080b94ae822c1f2889634dc3eb7ad92afbe2d72977a8c6
        • Instruction ID: 1f0c2aadf6a6b7914ce9064c84ec1b9d31c3992d3abfb2b250ae9d763d7fba1f
        • Opcode Fuzzy Hash: b2afc47b35419bcbf5080b94ae822c1f2889634dc3eb7ad92afbe2d72977a8c6
        • Instruction Fuzzy Hash: 2A21DE31508259DEDB20EBA4EE0ABCA3BB4EB06708F140036F804F29A0D3789549CB6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041855C Relevance: 12.2, APIs: 8, Instructions: 157memoryinjectionCOMMON
        Download Yara Rule
        APIs
        • VirtualAllocEx.KERNEL32(?,?,?,00002000,00000001,00000000,?,?,?,00000001), ref: 0041857E
        • VirtualAllocEx.KERNEL32(?,00000000,?,00002000,00000001,?,?,?,00000001), ref: 00418595
        • VirtualAllocEx.KERNEL32(?,?,?,00001000,00000004,?,?,?,?,00000001), ref: 00418651
        • WriteProcessMemory.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,00000001), ref: 0041866B
        • VirtualProtectEx.KERNEL32(?,?,?,00000002,?,?,?,?,?,00000001), ref: 0041867E
        • VirtualAllocEx.KERNEL32(?,?,?,00001000,00000004,?,?,?,?), ref: 004186A9
        • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?), ref: 004186C9
        • VirtualProtectEx.KERNEL32(?,?,?,00000040,?,?,?,?,?), ref: 004186E2
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Virtual$Alloc$MemoryProcessProtectWrite
        • String ID:
        • API String ID: 426431698-0
        • Opcode ID: c9c45b9ad16a4ae984679f3a89c4cac7bc4ab897c45aa7ff2562e97879dc8f63
        • Instruction ID: 6b33ee2ba879eb8860d9f330f52a90ac52c3c2525ffa73abf694f09ce602b554
        • Opcode Fuzzy Hash: c9c45b9ad16a4ae984679f3a89c4cac7bc4ab897c45aa7ff2562e97879dc8f63
        • Instruction Fuzzy Hash: 3E519E71900209FFDB218FA5CD44BEE7BB6FF44344F14802AF906A62A0D775AA91DB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00417C33 Relevance: 10.6, APIs: 7, Instructions: 83filenetworksynchronizationCOMMON
        Download Yara Rule
        APIs
        • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 00417C5B
        • CreateFileW.KERNEL32(000000C8,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00417C88
        • WaitForSingleObject.KERNEL32(00415976,00000000), ref: 00417CA0
        • InternetReadFile.WININET(00000004,?,00000400,00000004), ref: 00417CBD
        • WriteFile.KERNEL32(00000000,?,00000004,00415976,00000000), ref: 00417CE0
        • FlushFileBuffers.KERNEL32(00000000), ref: 00417CFC
        • CloseHandle.KERNEL32(00000000), ref: 00417D03
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$BuffersCloseCreateFlushHandleHttpInfoInternetObjectQueryReadSingleWaitWrite
        • String ID:
        • API String ID: 1338745320-0
        • Opcode ID: 6061670191654ca33161cbe88060633da4c57fc814f27fc975e4634698a66cf9
        • Instruction ID: 847e608f99de84642959e9c0b233955459fdb511a6f29aa317053b1731464508
        • Opcode Fuzzy Hash: 6061670191654ca33161cbe88060633da4c57fc814f27fc975e4634698a66cf9
        • Instruction Fuzzy Hash: EE212F7194424CBFEF219FA0DC44FEE7B7CAF00344F0484B6E652A6151E7359A898B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406C9E Relevance: 9.1, APIs: 6, Instructions: 61fileCOMMON
        Download Yara Rule
        APIs
        • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000103), ref: 00406CD0
        • FindFirstFileW.KERNEL32(?,?), ref: 00406CEB
        • PathRemoveFileSpecW.SHLWAPI(?), ref: 00406CFE
        • PathCombineW.SHLWAPI(?,?,?), ref: 00406D22
        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00406D3F
        • FindClose.KERNEL32(00000000), ref: 00406D4A
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FileFind$Path$CloseCombineEnvironmentExpandFirstNextRemoveSpecStrings
        • String ID:
        • API String ID: 3464319278-0
        • Opcode ID: 8e868ad5da647a5ab0eb7c95d6c43ab1210eb4f99e53f6973f3bbcf7393c4fae
        • Instruction ID: 4f98a8ac0a760e417a0c39e026e4d7f4530bd664e7cfa73051d874a6260c0d2f
        • Opcode Fuzzy Hash: 8e868ad5da647a5ab0eb7c95d6c43ab1210eb4f99e53f6973f3bbcf7393c4fae
        • Instruction Fuzzy Hash: 6D11897250462C5BDB21AB60DC48EDB77ACAF05711F0001B7F915F3191DF35AA888BA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418F90 Relevance: 9.1, APIs: 6, Instructions: 61fileCOMMON
        Download Yara Rule
        APIs
        • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000103), ref: 00418FC2
        • FindFirstFileW.KERNEL32(?,?), ref: 00418FDD
        • PathRemoveFileSpecW.SHLWAPI(?), ref: 00418FF0
        • PathCombineW.SHLWAPI(?,?,?), ref: 00419014
        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00419031
        • FindClose.KERNEL32(00000000), ref: 0041903C
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: FileFind$Path$CloseCombineEnvironmentExpandFirstNextRemoveSpecStrings
        • String ID:
        • API String ID: 3464319278-0
        • Opcode ID: 15aaf62b9cd7a5d021e0bbdeee7c03dd2e2c5b5e0580e707a917fe4da2eb3794
        • Instruction ID: de69078fbfae7b8e8b5faf84defd7ce91f443b281f801b3af84b3b24b45e5666
        • Opcode Fuzzy Hash: 15aaf62b9cd7a5d021e0bbdeee7c03dd2e2c5b5e0580e707a917fe4da2eb3794
        • Instruction Fuzzy Hash: A211607380462C6BDB219B60DD48EDB77ACAB04711F0001B6F915E3152DF38AAC98BA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041C00B Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextW.ADVAPI32(00000004,00000000,00000000,00000001,F0000060,00000000,00000004), ref: 0041C024
        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 0041C03C
        • CryptHashData.ADVAPI32(?,00000010,00000000,00000000), ref: 0041C057
        • CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0041C06E
        • CryptDestroyHash.ADVAPI32(?), ref: 0041C085
        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 0041C08F
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
        • String ID:
        • API String ID: 3186506766-0
        • Opcode ID: 398457dbb6b2730cee62d73fa6d01debb07c6ca89c7a4a65ccd9bc2c66524f56
        • Instruction ID: d757a087a871de2afb9a8aefb055d8e140fd2c343c55ec03320a00c32f81a653
        • Opcode Fuzzy Hash: 398457dbb6b2730cee62d73fa6d01debb07c6ca89c7a4a65ccd9bc2c66524f56
        • Instruction Fuzzy Hash: FE11157494420CBFEF219BE4CC98BEE7F7CEB08344F008471B511A51A0D7769A589F24
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409D19 Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextW.ADVAPI32(00000004,00000000,00000000,00000001,F0000060,00000000,00000004), ref: 00409D32
        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00409D4A
        • CryptHashData.ADVAPI32(?,00000010,00000000,00000000), ref: 00409D65
        • CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 00409D7C
        • CryptDestroyHash.ADVAPI32(?), ref: 00409D93
        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00409D9D
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
        • String ID:
        • API String ID: 3186506766-0
        • Opcode ID: 398457dbb6b2730cee62d73fa6d01debb07c6ca89c7a4a65ccd9bc2c66524f56
        • Instruction ID: c18dbeb68adf103e85bc82739342604d548bc12ded4ba22fc1b9f4ffe498770a
        • Opcode Fuzzy Hash: 398457dbb6b2730cee62d73fa6d01debb07c6ca89c7a4a65ccd9bc2c66524f56
        • Instruction Fuzzy Hash: BC11037494420CBEEF219BA0DC58AAE7B7DAB04344F008475B511B51A1D6769E58DB28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004180B0 Relevance: 1.6, APIs: 1, Instructions: 62comCOMMON
        Download Yara Rule
        APIs
        • CoCreateInstance.OLE32(004012F4,00000000,00000001,00401304,?), ref: 004180CA
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CreateInstance
        • String ID:
        • API String ID: 542301482-0
        • Opcode ID: 2877e142c2defd4e70602401654dab7efb4bc9a2b9f57185eee5d66498023510
        • Instruction ID: 53fde1afd02f10f56c612bb416be4d43942160924126c518374dc11613146425
        • Opcode Fuzzy Hash: 2877e142c2defd4e70602401654dab7efb4bc9a2b9f57185eee5d66498023510
        • Instruction Fuzzy Hash: D211E975A00209AFDF00DFE4C898DAAB779FF89708B104499E941DB351DB75ED42CB20
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A4E3 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
        Download Yara Rule
        APIs
        • GetProcessHeap.KERNEL32(0040A530,?,?,?,?,?,?,?,0040419B,0000007E,LoadLibraryA), ref: 0040A4F2
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HeapProcess
        • String ID:
        • API String ID: 54951025-0
        • Opcode ID: 2be115050555d929c4434fca85c45fe68df4a4d8e98b3088ef20b1188e481a0b
        • Instruction ID: 15419e461b12caf9a19814185d9d020972cfc1dc6cf4756b8fd4a2e8e51f09d2
        • Opcode Fuzzy Hash: 2be115050555d929c4434fca85c45fe68df4a4d8e98b3088ef20b1188e481a0b
        • Instruction Fuzzy Hash: D3D05E3440C3068AEA34AFA0AF0B4483760BA443247D0157FE891B2AE1DF380C4AEA0C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041B54B Relevance: .2, Instructions: 223COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
        • Instruction ID: 4b3fb42482c295b571eb9389d1de57cfdb294c80ada1646a06ec00c969b8eb4c
        • Opcode Fuzzy Hash: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
        • Instruction Fuzzy Hash: 95815E32D0562ADBDF14CE68C5406EDB7B1EB85324F19429ADC66BB381C338AD81DBC5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409259 Relevance: .2, Instructions: 223COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
        • Instruction ID: a27b81c3c973c3ab2fc13175cdfa6a580873f1c140edbbc88485b45d6776d9b7
        • Opcode Fuzzy Hash: c15c1ee89e93c96ae34e4ef4bd20b42e19debdc84aa94c683d830ec268d23c08
        • Instruction Fuzzy Hash: 1781A672D0552ADBDF14CE68C5406ADB7B1EB85324F1542AADC56BB3C2C338AD42CBC5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00417171 Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 360stringsynchronizationCOMMON
        Download Yara Rule
        APIs
        • GetCommandLineA.KERNEL32 ref: 004171A7
        • lstrlen.KERNEL32(00000000,?,00000000,0000000A), ref: 004171BB
        • CreateMutexW.KERNEL32(0040FE78,00000001,?), ref: 0041720E
        • GetLastError.KERNEL32 ref: 00417217
        • CloseHandle.KERNEL32(?), ref: 00417273
        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0041731D
        • lstrcmpiW.KERNEL32(?,?), ref: 0041733E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCommandCreateErrorFileHandleLastLineModuleMutexNamelstrcmpilstrlen
        • String ID: `)~
        • API String ID: 4203948586-1148047842
        • Opcode ID: 0cab500ac5fb36bc88e3b01c0160c3acc145e555bc3c34c2f4e52c77786d2457
        • Instruction ID: 6205313b8feaaa7d6627a14e5a6a6f09c8a3b19e9c0212f17061bf2bc7f0dfe0
        • Opcode Fuzzy Hash: 0cab500ac5fb36bc88e3b01c0160c3acc145e555bc3c34c2f4e52c77786d2457
        • Instruction Fuzzy Hash: 51C18272904209FFDB21ABA4DD89EEE7B7CEF04304F14007AF601A6551DB399E95CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407182 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 373libraryloaderstringCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(?,?), ref: 0040719A
        • GetProcAddress.KERNEL32(00000000,?), ref: 004071AE
        • GetProcAddress.KERNEL32(00000000,?), ref: 004071C3
        • GetProcAddress.KERNEL32(00000000,?), ref: 004071D8
        • GetProcAddress.KERNEL32(00000000,?), ref: 004071ED
        • GetProcAddress.KERNEL32(00000000,?), ref: 00407202
        • GetProcAddress.KERNEL32(00000000,?), ref: 00407217
        • GetProcAddress.KERNEL32(00000000,?), ref: 0040722C
        • LoadLibraryA.KERNEL32(?), ref: 00407288
        • GetProcAddress.KERNEL32(00000000,?), ref: 0040729C
        • LoadLibraryA.KERNEL32(?), ref: 004072C0
        • GetProcAddress.KERNEL32(00000000,?), ref: 004072D4
        • GetProcAddress.KERNEL32(00000000,?), ref: 004072E9
        • GetProcAddress.KERNEL32(00000000,?), ref: 004072FE
        • GetProcAddress.KERNEL32(00000000,?), ref: 00407313
        • GetProcAddress.KERNEL32(00000000,?), ref: 00407328
        • GetProcAddress.KERNEL32(00000000,?), ref: 0040733D
        • GetProcAddress.KERNEL32(00000000,?), ref: 00407352
        • GetProcAddress.KERNEL32(00000000,?), ref: 00407367
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • lstrcmpiW.KERNEL32(?,?), ref: 0040754D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad$AllocateHeaplstrcmpi
        • String ID: `)~
        • API String ID: 517328672-1148047842
        • Opcode ID: af87abf1a26257a291293d4c3d85c2de9fc2b28d80af14fd78cb71682809db33
        • Instruction ID: eeec1bcca339a6e18960b0bce34abb26fea0a92dc33fded08ef9e8a4ed93f830
        • Opcode Fuzzy Hash: af87abf1a26257a291293d4c3d85c2de9fc2b28d80af14fd78cb71682809db33
        • Instruction Fuzzy Hash: 07E10531901608EFDF21DFA8CD489AE7BB5FF08741B14443AF909E2660DB36A845DFA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00417DA0 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 293filestringCOMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,?,00000000), ref: 00417DB9
        • PathCombineW.SHLWAPI(?,?,?,?,00000000), ref: 00417DD2
        • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000000,00000000,?,00000000), ref: 00417DEB
        • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000), ref: 00417E02
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000), ref: 00417E29
        • lstrlen.KERNEL32(?,?,?,00000000), ref: 00417EFD
        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000000), ref: 00417F6C
        • SetEndOfFile.KERNEL32(?,?,?,00000000), ref: 00417F75
        • lstrlen.KERNEL32(?,?,00000000,?,?,00000000), ref: 00417F97
        • WriteFile.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 00417FA3
        • lstrlen.KERNEL32(000000FF,?,?,00000000), ref: 00417FEC
        • WriteFile.KERNEL32(?,004012F0,00000002,?,00000000,?,?,00000000), ref: 00418011
        • lstrlen.KERNEL32(?,?,00000000,?,?,00000000), ref: 0041801E
        • WriteFile.KERNEL32(?,?,00000000,?,?,00000000), ref: 00418029
        • WriteFile.KERNEL32(?,00401288,00000001,?,00000000,?,?,00000000), ref: 0041803F
        • lstrlen.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0041804C
        • WriteFile.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 00418057
        • WriteFile.KERNEL32(?,004012F0,00000002,?,00000000,?,?,00000000), ref: 00418069
        • FlushFileBuffers.KERNEL32(?,?,?,00000000), ref: 00418086
        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 004180A5
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Write$lstrlen$Path$AllocateBuffersCloseCombineCreateFlushFolderHandleHeapPointerReadSizeSpecial
        • String ID: `)~
        • API String ID: 1112852544-1148047842
        • Opcode ID: 7a489053ca794dec603d9596e7f0f6c0d9e6111445c308ceb04517edb4261f7a
        • Instruction ID: aaa16cb4d532037bf060a0a66263ae41fc0a66c3a19b5beb539c74ff44d62a63
        • Opcode Fuzzy Hash: 7a489053ca794dec603d9596e7f0f6c0d9e6111445c308ceb04517edb4261f7a
        • Instruction Fuzzy Hash: 5AA1A372904249AFDF319FA4CD89AEFBBB9EF09310F54007AF541A22A0D7345D86DB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405AAE Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 293filestringCOMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,?,00000000), ref: 00405AC7
        • PathCombineW.SHLWAPI(?,?,?,?,00000000), ref: 00405AE0
        • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000000,00000000,?,00000000), ref: 00405AF9
        • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405B10
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000), ref: 00405B37
        • lstrlen.KERNEL32(?,?,?,00000000), ref: 00405C0B
        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000000), ref: 00405C7A
        • SetEndOfFile.KERNEL32(?,?,?,00000000), ref: 00405C83
        • lstrlen.KERNEL32(?,?,00000000,?,?,00000000), ref: 00405CA5
        • WriteFile.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 00405CB1
        • lstrlen.KERNEL32(000000FF,?,?,00000000), ref: 00405CFA
        • WriteFile.KERNEL32(?,004012F0,00000002,?,00000000,?,?,00000000), ref: 00405D1F
        • lstrlen.KERNEL32(?,?,00000000,?,?,00000000), ref: 00405D2C
        • WriteFile.KERNEL32(?,?,00000000,?,?,00000000), ref: 00405D37
        • WriteFile.KERNEL32(?,00401288,00000001,?,00000000,?,?,00000000), ref: 00405D4D
        • lstrlen.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00405D5A
        • WriteFile.KERNEL32(?,00000000,00000000,?,?,00000000), ref: 00405D65
        • WriteFile.KERNEL32(?,004012F0,00000002,?,00000000,?,?,00000000), ref: 00405D77
        • FlushFileBuffers.KERNEL32(?,?,?,00000000), ref: 00405D94
        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00405DB3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Write$lstrlen$Path$AllocateBuffersCloseCombineCreateFlushFolderHandleHeapPointerReadSizeSpecial
        • String ID: `)~
        • API String ID: 1112852544-1148047842
        • Opcode ID: c58e93aff82f31f31189b74aecd95ff3cc9509a53166b9de8e1a9a7e91e94d66
        • Instruction ID: 9f1a3b0786024d561a9beb170c269d69eb930de4a2a0cf6dfccdbc9931988678
        • Opcode Fuzzy Hash: c58e93aff82f31f31189b74aecd95ff3cc9509a53166b9de8e1a9a7e91e94d66
        • Instruction Fuzzy Hash: 6AA17C32904609AFEB219FA4DD49EAFBBB9EF09300F14007BE541B62E0D7395D428F58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041D24F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 251threadstringtimeCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThread.KERNEL32 ref: 0041D265
        • GetThreadPriority.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,004170BA,00000006), ref: 0041D271
        • SetThreadPriority.KERNEL32(00000000,00000002,?,?,00000000,?,?,?,?,?,?,004170BA,00000006), ref: 0041D27D
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • wvnsprintfA.SHLWAPI(?,00A00000,?,00000006), ref: 0041D2BF
        • lstrlen.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,004170BA,00000006), ref: 0041D2D1
        • GetTickCount.KERNEL32 ref: 0041D2DA
        • GetSystemTime.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,004170BA), ref: 0041D2EE
        • SetThreadPriority.KERNEL32(?,?), ref: 0041D427
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Thread$Priority$AllocateCountCurrentHeapSystemTickTimelstrlenwvnsprintf
        • String ID: ,$LLAH$`)~
        • API String ID: 3569216593-2895407856
        • Opcode ID: 44378cb54c30590992ed73e6e10ff242a05bbbe4e022eb032cb61bd83542af3f
        • Instruction ID: b280e86381d414024fb96284409e5a8854e4e6f77647d22375962868501e2d08
        • Opcode Fuzzy Hash: 44378cb54c30590992ed73e6e10ff242a05bbbe4e022eb032cb61bd83542af3f
        • Instruction Fuzzy Hash: B68161B2900209BFCB21AFA1DD49EDB7BBCEF49744F04453BF611E2461D77896448BA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AF5D Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 251threadstringtimeCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThread.KERNEL32 ref: 0040AF73
        • GetThreadPriority.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00404DC8,00000006), ref: 0040AF7F
        • SetThreadPriority.KERNEL32(00000000,00000002,?,?,00000000,?,?,?,?,?,?,00404DC8,00000006), ref: 0040AF8B
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • wvnsprintfA.SHLWAPI(?,00A00000,?,00000006), ref: 0040AFCD
        • lstrlen.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00404DC8,00000006), ref: 0040AFDF
        • GetTickCount.KERNEL32 ref: 0040AFE8
        • GetSystemTime.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00404DC8), ref: 0040AFFC
        • SetThreadPriority.KERNEL32(?,?), ref: 0040B135
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Thread$Priority$AllocateCountCurrentHeapSystemTickTimelstrlenwvnsprintf
        • String ID: ,$LLAH$`)~
        • API String ID: 3569216593-2895407856
        • Opcode ID: 8ad63e4ba71038205f47094bdaf161197c890a0d505f2a10224cf1f6b373e43a
        • Instruction ID: f68b49b6a91b60cff58506494a0404f7cf78155ba7b7ed70cea386c95f83c328
        • Opcode Fuzzy Hash: 8ad63e4ba71038205f47094bdaf161197c890a0d505f2a10224cf1f6b373e43a
        • Instruction Fuzzy Hash: 7A813E72500209BFCB21AFA1DD49EAB7BBCEF49704F04053BF651F6491DB7896048BA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041CBA4 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 136processCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041CBB4
        • GetUserNameW.ADVAPI32(?,00000103), ref: 0041CBE3
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041CC27
        • Process32FirstW.KERNEL32(00000000,?), ref: 0041CC3F
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041CD57
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041CD66
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041CD6D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseHandle$CreateFirstFolderNamePathProcess32SnapshotSpecialToolhelp32User
        • String ID: ?$?$\$\$`)~
        • API String ID: 4249123633-197138563
        • Opcode ID: 9c4be4d30dca1eccdfcaeb7e6699d8e2cbb2ead35a2ace792b5a5f173221e444
        • Instruction ID: ba810d3d689644cd6a3941a8b32146a64a1fa178951395ef36b3bbdc19af9a52
        • Opcode Fuzzy Hash: 9c4be4d30dca1eccdfcaeb7e6699d8e2cbb2ead35a2ace792b5a5f173221e444
        • Instruction Fuzzy Hash: A9512D71940219EADB319B64DD88EDB7BBCBF04305F1041B6E60AE2550E7349EC88F58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A6B5 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 180registrystringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(004041E4), ref: 0040A706
        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000001,00000000,004041E4,00000000), ref: 0040A747
        • RegQueryValueExW.ADVAPI32(004041E4,?,00000000,?,?,00000206), ref: 0040A76C
        • RegCloseKey.ADVAPI32(004041E4), ref: 0040A78C
        • GetComputerNameW.KERNEL32(?,00000206), ref: 0040A7AA
        • lstrcpyW.KERNEL32(?,unknown), ref: 0040A7BD
        • GetTickCount.KERNEL32 ref: 0040A7C3
        • wnsprintfW.SHLWAPI ref: 0040A7E2
        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000002,00000000,A@1,00000000), ref: 0040A80A
        • RegSetValueExW.ADVAPI32(A@1,?,00000000,00000001,?,00000031), ref: 0040A82C
        • RegCloseKey.ADVAPI32(?), ref: 0040A835
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateValue$ComputerCountNameQueryTicklstrcpylstrlenwnsprintf
        • String ID: 1$`)~$unknown$A@1$A@1
        • API String ID: 2879380669-1722068459
        • Opcode ID: 35e6e00c38065ab0557413bdbc7835fcde5383f53f31eb497a6749a0da66e8ab
        • Instruction ID: 908bcb17ba1d79e3bc43b6f175819525f940c2eb41122dd90183af7c65e814cf
        • Opcode Fuzzy Hash: 35e6e00c38065ab0557413bdbc7835fcde5383f53f31eb497a6749a0da66e8ab
        • Instruction Fuzzy Hash: 43518B72800208EFDF21DBA4DD88EDE7BBCEB04344F1081BAF505F71A1E6359A559B59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405464 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 184sleepfilesynchronizationCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00405478
          • Part of subcall function 004098B6: PathCombineW.SHLWAPI(?,?,?,00000000,0040503D,?), ref: 004098CC
        • CreateFileW.KERNEL32(0040F848,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040549C
          • Part of subcall function 004099B0: PathCombineW.SHLWAPI(?,?,007E2960), ref: 004099D5
          • Part of subcall function 004099B0: CreateDirectoryW.KERNEL32(?,00000000), ref: 004099E4
          • Part of subcall function 004099B0: SetFileAttributesW.KERNEL32(?,00000006), ref: 004099F3
          • Part of subcall function 004033E1: PathCombineW.SHLWAPI(?,007E2960,?), ref: 00403408
          • Part of subcall function 004033E1: PathCombineW.SHLWAPI(0040F5A8,0040F5A8,?), ref: 00403417
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 004054BE
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 004054E6
        • Sleep.KERNEL32(00000014), ref: 0040554D
          • Part of subcall function 004090CE: OpenMutexW.KERNEL32(001F0001,00000000,?,00404F4E,?), ref: 004090D9
        • Sleep.KERNEL32(00000014), ref: 004055B3
          • Part of subcall function 00406A2E: OpenProcess.KERNEL32(001F0FFF,00000000,?,00405464,00000000,?,?,00405230,-0000A820,00000000,00000000,007E2960), ref: 00406A52
        • Sleep.KERNEL32(00000014), ref: 004055D4
        • Sleep.KERNEL32(00000064), ref: 004055F5
        • WaitForSingleObject.KERNEL32(00000032), ref: 00405603
        • Sleep.KERNEL32(00000014), ref: 0040563C
        • CloseHandle.KERNEL32 ref: 0040565A
        • CloseHandle.KERNEL32 ref: 00405666
        • CloseHandle.KERNEL32 ref: 00405672
        • CloseHandle.KERNEL32 ref: 0040567E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CreateSleep$CloseCombineFileHandlePath$Open$AttributesDirectoryEventMutexObjectProcessSingleWait
        • String ID: `)~
        • API String ID: 1384915944-1148047842
        • Opcode ID: 25828b77249b7b5984431dc164f4d15973021c252e601d64c58c92a282cbb0bb
        • Instruction ID: 5f003092f955c244e93faa41f63476b42a0c3ce92afe5624afe4b2c9eaecd6ca
        • Opcode Fuzzy Hash: 25828b77249b7b5984431dc164f4d15973021c252e601d64c58c92a282cbb0bb
        • Instruction Fuzzy Hash: C3518D72111610EBCA30AB76EE4DE873F69EF05365B104136F605B6AB2D63A5818CF68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00417756 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 184sleepfilesynchronizationCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041776A
          • Part of subcall function 0041BBA8: PathCombineW.SHLWAPI(?,?,?,00000000,0041732F,?), ref: 0041BBBE
        • CreateFileW.KERNEL32(0040F848,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0041778E
          • Part of subcall function 0041BCA2: PathCombineW.SHLWAPI(?,?,007E2960), ref: 0041BCC7
          • Part of subcall function 0041BCA2: CreateDirectoryW.KERNEL32(?,00000000), ref: 0041BCD6
          • Part of subcall function 0041BCA2: SetFileAttributesW.KERNEL32(?,00000006), ref: 0041BCE5
          • Part of subcall function 004156D3: PathCombineW.SHLWAPI(?,007E2960,?), ref: 004156FA
          • Part of subcall function 004156D3: PathCombineW.SHLWAPI(0040F5A8,0040F5A8,?), ref: 00415709
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 004177B0
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 004177D8
        • Sleep.KERNEL32(00000014), ref: 0041783F
          • Part of subcall function 0041B3C0: OpenMutexW.KERNEL32(001F0001,00000000,?,00417240,?), ref: 0041B3CB
        • Sleep.KERNEL32(00000014), ref: 004178A5
          • Part of subcall function 00418D20: OpenProcess.KERNEL32(001F0FFF,00000000,?,00405464,00000000,?,?,00417522,-0000A820,00000000,00000000,007E2960), ref: 00418D44
        • Sleep.KERNEL32(00000014), ref: 004178C6
        • Sleep.KERNEL32(00000064), ref: 004178E7
        • WaitForSingleObject.KERNEL32(00000032), ref: 004178F5
        • Sleep.KERNEL32(00000014), ref: 0041792E
        • CloseHandle.KERNEL32 ref: 0041794C
        • CloseHandle.KERNEL32 ref: 00417958
        • CloseHandle.KERNEL32 ref: 00417964
        • CloseHandle.KERNEL32 ref: 00417970
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CreateSleep$CloseCombineFileHandlePath$Open$AttributesDirectoryEventMutexObjectProcessSingleWait
        • String ID: `)~
        • API String ID: 1384915944-1148047842
        • Opcode ID: 9bde0bd85b04d0b8374c01c5507b71797c437aa1e4b8b1672e3f03cf05eddad0
        • Instruction ID: 90d31eeec72b3617646c978163c674eb5cfce183596ecfc1a4bac2d57d707b9f
        • Opcode Fuzzy Hash: 9bde0bd85b04d0b8374c01c5507b71797c437aa1e4b8b1672e3f03cf05eddad0
        • Instruction Fuzzy Hash: E0518072500210EBD630BB75EE4DEC73F79EF0A365B10013AFA09A69B2D7355458CBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041EDAA Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 445networkCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041EDED
        • InternetSetStatusCallback.WININET(?,0040CA94), ref: 0041EE04
        • InternetQueryOptionA.WININET(?,0000002D,?,?), ref: 0041EE26
        • InternetSetOptionA.WININET(?,0000002D,?,00000004), ref: 0041EE39
        • InternetReadFileExA.WININET(?,?,00000008,?), ref: 0041EE70
        • GetLastError.KERNEL32 ref: 0041EE7A
        • ResetEvent.KERNEL32(?), ref: 0041EED9
        • InternetSetOptionA.WININET(?,0000002D,?,00000004), ref: 0041EF44
        • InternetSetStatusCallback.WININET(?,000000FF), ref: 0041EF5E
        • CloseHandle.KERNEL32(?), ref: 0041EF6A
        • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0041F1A6
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0041F20A
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0041F24B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Internet$Option$CallbackCriticalEventQuerySectionStatus$CloseCreateEnterErrorFileHandleLastLeaveReadReset
        • String ID: `)~
        • API String ID: 996189185-1148047842
        • Opcode ID: 91367510a4391a64f57fb63b4ad4f19a508e9d21da85e97e2ec415c880f68035
        • Instruction ID: 53afe0d6d0863a80bc825eb422b74b8db42b0ae4428ea8dc2cb95fb494eca2df
        • Opcode Fuzzy Hash: 91367510a4391a64f57fb63b4ad4f19a508e9d21da85e97e2ec415c880f68035
        • Instruction Fuzzy Hash: 52024C75A00208EFCB14DF99CC85EDE7BB5EF08354F15406AF909AB261D734AE86CB94
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040CAB8 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 445networkCOMMON
        Download Yara Rule
        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040CAFB
        • InternetSetStatusCallback.WININET(?,0040CA94), ref: 0040CB12
        • InternetQueryOptionA.WININET(?,0000002D,?,?), ref: 0040CB34
        • InternetSetOptionA.WININET(?,0000002D,?,00000004), ref: 0040CB47
        • InternetReadFileExA.WININET(?,?,00000008,?), ref: 0040CB7E
        • GetLastError.KERNEL32 ref: 0040CB88
        • ResetEvent.KERNEL32(?), ref: 0040CBE7
        • InternetSetOptionA.WININET(?,0000002D,?,00000004), ref: 0040CC52
        • InternetSetStatusCallback.WININET(?,000000FF), ref: 0040CC6C
        • CloseHandle.KERNEL32(?), ref: 0040CC78
        • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040CEB4
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0040CF18
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0040CF59
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Internet$Option$CallbackCriticalEventQuerySectionStatus$CloseCreateEnterErrorFileHandleLastLeaveReadReset
        • String ID: `)~
        • API String ID: 996189185-1148047842
        • Opcode ID: bf58ce87a9ae7f83b01c770c30a67c9b4fc8f4b9e4dd675abec237ce77ccbddd
        • Instruction ID: 9b139be5ed70041c3435d3d7b641caf44c898d9e18f5c8be49536e59d4f18b91
        • Opcode Fuzzy Hash: bf58ce87a9ae7f83b01c770c30a67c9b4fc8f4b9e4dd675abec237ce77ccbddd
        • Instruction Fuzzy Hash: BD025D71A00208EFCB14DF99CC85EAE7BB5FF08314F14416AF909AB2A1D734EA45CB94
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041C9A7 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 180registrystringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(004164D6), ref: 0041C9F8
        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000001,00000000,004164D6,00000000), ref: 0041CA39
        • RegQueryValueExW.ADVAPI32(004164D6,?,00000000,?,?,00000206), ref: 0041CA5E
        • RegCloseKey.ADVAPI32(004164D6), ref: 0041CA7E
        • GetComputerNameW.KERNEL32(?,00000206), ref: 0041CA9C
        • lstrcpyW.KERNEL32(?,unknown), ref: 0041CAAF
        • GetTickCount.KERNEL32 ref: 0041CAB5
        • wnsprintfW.SHLWAPI ref: 0041CAD4
        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000002,00000000,004164D6,00000000), ref: 0041CAFC
        • RegSetValueExW.ADVAPI32(004164D6,?,00000000,00000001,?,00000031), ref: 0041CB1E
        • RegCloseKey.ADVAPI32(004164D6), ref: 0041CB27
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateValue$ComputerCountNameQueryTicklstrcpylstrlenwnsprintf
        • String ID: 1$`)~$unknown
        • API String ID: 2879380669-1478959327
        • Opcode ID: 35e6e00c38065ab0557413bdbc7835fcde5383f53f31eb497a6749a0da66e8ab
        • Instruction ID: 52fa196dbf0f380cff649665cf140590373ab030d1f21a96c22b40ce5d58169f
        • Opcode Fuzzy Hash: 35e6e00c38065ab0557413bdbc7835fcde5383f53f31eb497a6749a0da66e8ab
        • Instruction Fuzzy Hash: 36518C72940108FFDF21DFA4DD89EDE7BBCEB04344F1041BAF505E2161D635AA859B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041D51B Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID:
        • String ID: `)~
        • API String ID: 0-1148047842
        • Opcode ID: 5561ca24b0583f148f16d81f6df54327546f0cef4f068a872abf17db05ff7cd8
        • Instruction ID: 0d36e436be574a1b811cc7d50b477913b55a95f9b25f055b74603bfb1a362ce7
        • Opcode Fuzzy Hash: 5561ca24b0583f148f16d81f6df54327546f0cef4f068a872abf17db05ff7cd8
        • Instruction Fuzzy Hash: EF5120B2804218BFDF21AFA4DC89EEE7B7DEF04305F140476F515E2150EB355A898B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B229 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 163COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID:
        • String ID: `)~
        • API String ID: 0-1148047842
        • Opcode ID: ade51813a02c34840f652c78a3fe8d24553cc5bf352d5aaeb8517b43bdec990b
        • Instruction ID: 5deccb81426b54207bcaeba0248487a5106433a201c04cfbe94a9538ac4a0254
        • Opcode Fuzzy Hash: ade51813a02c34840f652c78a3fe8d24553cc5bf352d5aaeb8517b43bdec990b
        • Instruction Fuzzy Hash: 39512E72804108BFDF11AFA4DC89EEE777CEF05304F1405BAFA15B2191DB394A498B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041BCED Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 152registrystringCOMMON
        Download Yara Rule
        APIs
        • lstrlenW.KERNEL32(?,?,00000000,00000000), ref: 0041BCFB
        • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,00000000,00000000), ref: 0041BD20
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041BD43
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041BD76
        • StrCmpNIW.SHLWAPI(00000002,?,?,?,00000000,00000000), ref: 0041BDA0
        • lstrlenW.KERNEL32(00000000,?,00000000,00000000), ref: 0041BDBB
        • lstrcpyW.KERNEL32(00000000,?), ref: 0041BDDD
        • lstrcpyW.KERNEL32(00000000,004030FC), ref: 0041BDEF
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,?,?,00000000,00000000), ref: 0041BE0A
        • RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 0041BE24
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000,?,00000000,00000000), ref: 0041BE49
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000002,?,00000000,00000000), ref: 0041BE69
        • RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 0041BE74
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Value$CloseCreateQuerylstrcpylstrlen$AllocateHeap
        • String ID: `)~
        • API String ID: 2792512604-1148047842
        • Opcode ID: dc7caabc143b9154b5e43b0fec58639438ccade47dc46ebcd5d773d59103e788
        • Instruction ID: 34e06442a29b94fc7a934a9fae827861a61a720f1f38fd3ffcae813fc25fb176
        • Opcode Fuzzy Hash: dc7caabc143b9154b5e43b0fec58639438ccade47dc46ebcd5d773d59103e788
        • Instruction Fuzzy Hash: AA516736500218FBCB209FA5DE88EDB7FB9FF09751B000076F505A6260D771AA84DBE8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041B232 Relevance: 24.1, APIs: 16, Instructions: 138filesynchronizationpipeCOMMON
        Download Yara Rule
        APIs
        • CreateMutexW.KERNEL32(0040FE78,00000000,?), ref: 0041B248
        • SetEvent.KERNEL32(?), ref: 0041B254
        • DisconnectNamedPipe.KERNEL32(?), ref: 0041B25C
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0041B266
        • ConnectNamedPipe.KERNEL32(?,00000000), ref: 0041B27B
        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041B2A2
        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041B2C5
        • ReadFile.KERNEL32(?,00000000,00A00000,?,00000000), ref: 0041B30C
        • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 0041B33E
        • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 0041B35C
        • WriteFile.KERNEL32(?,?,00A00000,?,00000000), ref: 0041B374
        • FlushFileBuffers.KERNEL32(?), ref: 0041B37C
        • DisconnectNamedPipe.KERNEL32(?), ref: 0041B38D
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0041B397
        • CloseHandle.KERNEL32(?), ref: 0041B3A9
        • SetEvent.KERNEL32(?), ref: 0041B3B2
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$NamedPipeReadWrite$DisconnectEventObjectSingleWait$BuffersCloseConnectCreateFlushHandleMutex
        • String ID:
        • API String ID: 488768894-0
        • Opcode ID: f35be6437695437fbfae300081be519ee05087e974eca5142da14784316d0682
        • Instruction ID: 7e34890586e6beb05ea8267724342a943c31ba6efd14f44bbd6332f2b8363c10
        • Opcode Fuzzy Hash: f35be6437695437fbfae300081be519ee05087e974eca5142da14784316d0682
        • Instruction Fuzzy Hash: 3C510676800108FFDB219F95DD48DEEBBB9FF44340B20843AF956E5520E7329A94DB94
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408F40 Relevance: 24.1, APIs: 16, Instructions: 138filesynchronizationpipeCOMMON
        Download Yara Rule
        APIs
        • CreateMutexW.KERNEL32(0040FE78,00000000,?), ref: 00408F56
        • SetEvent.KERNEL32(?), ref: 00408F62
        • DisconnectNamedPipe.KERNEL32(?), ref: 00408F6A
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 00408F74
        • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00408F89
        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00408FB0
        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00408FD3
        • ReadFile.KERNEL32(?,00000000,00A00000,?,00000000), ref: 0040901A
        • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 0040904C
        • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 0040906A
        • WriteFile.KERNEL32(?,?,00A00000,?,00000000), ref: 00409082
        • FlushFileBuffers.KERNEL32(?), ref: 0040908A
        • DisconnectNamedPipe.KERNEL32(?), ref: 0040909B
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 004090A5
        • CloseHandle.KERNEL32(?), ref: 004090B7
        • SetEvent.KERNEL32(?), ref: 004090C0
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$NamedPipeReadWrite$DisconnectEventObjectSingleWait$BuffersCloseConnectCreateFlushHandleMutex
        • String ID:
        • API String ID: 488768894-0
        • Opcode ID: ae272e5335877ae8caf358f961d85f89059a3d4c985c8d5eb49d6da42a4c8c29
        • Instruction ID: a9529b80dc67b64f0dce6a50a6c05abd4ba8f6a6f25c519582c887b251b64a0c
        • Opcode Fuzzy Hash: ae272e5335877ae8caf358f961d85f89059a3d4c985c8d5eb49d6da42a4c8c29
        • Instruction Fuzzy Hash: A9510376800108FFDB219FA0DD48DAFBBB9EF44341B20843AF946E5561E7329A94DB54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041F476 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 167networkstringCOMMON
        Download Yara Rule
        APIs
        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0041F495
        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0041F4C1
          • Part of subcall function 0041DEDE: lstrlen.KERNEL32(?), ref: 0041DEE8
          • Part of subcall function 0041DEDE: lstrlen.KERNEL32(?), ref: 0041DEF4
          • Part of subcall function 0041DEDE: lstrcpy.KERNEL32(00000001), ref: 0041DF70
        • HttpOpenRequestA.WININET(00000004,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0041F520
        • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0041F55C
        • lstrcpy.KERNEL32(?,?), ref: 0041F57A
        • wnsprintfA.SHLWAPI ref: 0041F5A2
        • HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0041F5BF
        • InternetSetStatusCallback.WININET(?,Function_0000D138), ref: 0041F5D0
        • HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 0041F5EC
        • HttpQueryInfoA.WININET(?,20000013,?,00000031,00000000), ref: 0041F614
        • InternetQueryOptionA.WININET(?,00000022,?,00000004), ref: 0041F63D
          • Part of subcall function 0041E876: lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,0041F65C,?,00000005), ref: 0041E896
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Http$Internet$QueryRequestlstrlen$InfoOpenlstrcpy$CallbackConnectHeadersOptionSendStatuswnsprintf
        • String ID: 1$`)~
        • API String ID: 878478937-3458160306
        • Opcode ID: b6acf639d68a26ceafb0b8818c9d96b31f608895cfc97323bcaf6b37f698b062
        • Instruction ID: d5dc993689963351310c0f82e63c52b48496257f6661f9b479b4bdc963b84465
        • Opcode Fuzzy Hash: b6acf639d68a26ceafb0b8818c9d96b31f608895cfc97323bcaf6b37f698b062
        • Instruction Fuzzy Hash: 105146B1500208AFDB20DF54DD84E96BBF9FB08354B10847AF64A97661D735ED89CF28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040D184 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 167networkstringCOMMON
        Download Yara Rule
        APIs
        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0040D1A3
        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040D1CF
          • Part of subcall function 0040BBEC: lstrlen.KERNEL32(?), ref: 0040BBF6
          • Part of subcall function 0040BBEC: lstrlen.KERNEL32(?), ref: 0040BC02
          • Part of subcall function 0040BBEC: lstrcpy.KERNEL32(00000001), ref: 0040BC7E
        • HttpOpenRequestA.WININET(00000004,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0040D22E
        • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040D26A
        • lstrcpy.KERNEL32(?,?), ref: 0040D288
        • wnsprintfA.SHLWAPI ref: 0040D2B0
        • HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0040D2CD
        • InternetSetStatusCallback.WININET(?,Function_0000D138), ref: 0040D2DE
        • HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 0040D2FA
        • HttpQueryInfoA.WININET(?,20000013,?,00000031,00000000), ref: 0040D322
        • InternetQueryOptionA.WININET(?,00000022,?,00000004), ref: 0040D34B
          • Part of subcall function 0040C584: lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,0040D36A,?,00000005), ref: 0040C5A4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Http$Internet$QueryRequestlstrlen$InfoOpenlstrcpy$CallbackConnectHeadersOptionSendStatuswnsprintf
        • String ID: 1$`)~
        • API String ID: 878478937-3458160306
        • Opcode ID: b5dc5ebb9080fd1ca1cb1db88d2c1c4a55a2c97d7e8bfa5def481564b00a9120
        • Instruction ID: 75cb416fd5a4b470f2174d13528dc03b5746c9224e48fa7c195013f6d377f762
        • Opcode Fuzzy Hash: b5dc5ebb9080fd1ca1cb1db88d2c1c4a55a2c97d7e8bfa5def481564b00a9120
        • Instruction Fuzzy Hash: 765129B1500204EFDB20DF94DD84E96BBF9FB08354B10847AF959A76A1D735E988CF28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041A678 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 96networksynchronizationthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004180B0: CoCreateInstance.OLE32(004012F4,00000000,00000001,00401304,?), ref: 004180CA
        • GetCurrentThread.KERNEL32 ref: 0041A68D
        • SetThreadPriority.KERNEL32(00000000), ref: 0041A694
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0041A6AF
        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0041A6C6
        • InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 0041A6E1
          • Part of subcall function 0041C9A7: lstrlenW.KERNEL32(004164D6), ref: 0041C9F8
          • Part of subcall function 0041C9A7: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000002,00000000,004164D6,00000000), ref: 0041CAFC
          • Part of subcall function 0041C9A7: RegSetValueExW.ADVAPI32(004164D6,?,00000000,00000001,?,00000031), ref: 0041CB1E
          • Part of subcall function 0041C9A7: RegCloseKey.ADVAPI32(004164D6), ref: 0041CB27
        • WaitForSingleObject.KERNEL32(00000014), ref: 0041A72D
        • WaitForSingleObject.KERNEL32(000000FF), ref: 0041A770
        • Sleep.KERNEL32(00000014), ref: 0041A77A
        • CloseHandle.KERNEL32 ref: 0041A78E
        • InternetCloseHandle.WININET ref: 0041A79A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateInternet$HandleObjectSingleThreadWait$CurrentEventInstanceOpenOptionPrioritySleepValuelstrlen
        • String ID: `)~$`
        • API String ID: 166738788-2777742128
        • Opcode ID: 8fd16744904cfb14852042a0ff611e14e239dba66b18295b73278eb01279c0c0
        • Instruction ID: 06e454b1f50c172e2fe7ae648a950b88e99e0f01af059a0bde0096fde3c120c4
        • Opcode Fuzzy Hash: 8fd16744904cfb14852042a0ff611e14e239dba66b18295b73278eb01279c0c0
        • Instruction Fuzzy Hash: 4531C231240210EFD731ABA2EE0AE8A3B75EB09761B10013AF519B6DF1CA745489DF6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408386 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 96networksynchronizationthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00405DBE: CoCreateInstance.OLE32(004012F4,00000000,00000001,00401304,?), ref: 00405DD8
        • GetCurrentThread.KERNEL32 ref: 0040839B
        • SetThreadPriority.KERNEL32(00000000), ref: 004083A2
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004083BD
        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 004083D4
        • InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 004083EF
          • Part of subcall function 0040A6B5: lstrlenW.KERNEL32(004041E4), ref: 0040A706
          • Part of subcall function 0040A6B5: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000002,00000000,A@1,00000000), ref: 0040A80A
          • Part of subcall function 0040A6B5: RegSetValueExW.ADVAPI32(A@1,?,00000000,00000001,?,00000031), ref: 0040A82C
          • Part of subcall function 0040A6B5: RegCloseKey.ADVAPI32(?), ref: 0040A835
        • WaitForSingleObject.KERNEL32(00000014), ref: 0040843B
        • WaitForSingleObject.KERNEL32(000000FF), ref: 0040847E
        • Sleep.KERNEL32(00000014), ref: 00408488
        • CloseHandle.KERNEL32 ref: 0040849C
        • InternetCloseHandle.WININET ref: 004084A8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateInternet$HandleObjectSingleThreadWait$CurrentEventInstanceOpenOptionPrioritySleepValuelstrlen
        • String ID: `)~$`
        • API String ID: 166738788-2777742128
        • Opcode ID: 0385d96908ac4a33754a160446e965e75f531d55decfb2c28bdfbf5e095ce118
        • Instruction ID: 36bcdfeb9ca108ca814e1382b03add8ffcc72c504025f24c103e9e202435d4dc
        • Opcode Fuzzy Hash: 0385d96908ac4a33754a160446e965e75f531d55decfb2c28bdfbf5e095ce118
        • Instruction Fuzzy Hash: E131A431104210EBD730ABA2EF0EE4A3B25EB04765B10413AF509B6DF1DA755809DF6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00419ADF Relevance: 19.9, APIs: 1, Strings: 12, Instructions: 416stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0000000A), ref: 00419E80
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AllocateHeaplstrlen
        • String ID: *keep-alive*$/$CONNECT $Connection: $Connection: close$Content-Length: $HTTP/1.0 200 Connection established$Host: $P$Proxy-$Proxy-Connection: $http://
        • API String ID: 556738718-737691513
        • Opcode ID: 31da4ac32f1b687a50ee582e8fccfd7df22c9def53e327fc8f6df0d46802f04f
        • Instruction ID: d28a6f28c3d0a2abe24f9caad105c3648d387bffcfcceb98598298641a63f9f1
        • Opcode Fuzzy Hash: 31da4ac32f1b687a50ee582e8fccfd7df22c9def53e327fc8f6df0d46802f04f
        • Instruction Fuzzy Hash: 8ED1E271A48305BAFB206BA5DC5ABEF3BA9AF01354F14002BF504A52D2EB7D8DC18759
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004077ED Relevance: 19.9, APIs: 1, Strings: 12, Instructions: 416stringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0000000A), ref: 00407B8E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AllocateHeaplstrlen
        • String ID: *keep-alive*$/$CONNECT $Connection: $Connection: close$Content-Length: $HTTP/1.0 200 Connection established$Host: $P$Proxy-$Proxy-Connection: $http://
        • API String ID: 556738718-737691513
        • Opcode ID: 3ea38f0ff6a3f1f3bfa73fe5dbb7cd7e305895bb28c13efcdc015a04d1a63c05
        • Instruction ID: 2340d908603eef8f3025f8e7f443e7d1b5398c4300ef28fc94a3e923d818be13
        • Opcode Fuzzy Hash: 3ea38f0ff6a3f1f3bfa73fe5dbb7cd7e305895bb28c13efcdc015a04d1a63c05
        • Instruction Fuzzy Hash: 9CD1E471E0C305BAFB206B658D4AF6F3FA8AF01304F14443BF544B52D2EA7DA9418B5A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AA89 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101processCOMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000), ref: 0040AAE3
        • OpenProcessToken.ADVAPI32(00000000,0000000B,?,?,00000000), ref: 0040AAF6
        • DuplicateTokenEx.ADVAPI32(?,0000000B,00000000,00000002,00000001,?,?,00000000), ref: 0040AB0E
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0040AB1E
        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040AB25
        • CreateProcessAsUserW.ADVAPI32(?,00000000,0040381A,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000000), ref: 0040AB47
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0040AB52
        • CreateProcessW.KERNEL32(00000000,0040381A,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00000000), ref: 0040AB6E
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0040AB7D
        • CloseHandle.KERNEL32(?,?,00000000), ref: 0040AB86
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseHandle$Process$CreateOpenToken$DuplicateUser
        • String ID: D
        • API String ID: 2747011430-2746444292
        • Opcode ID: f3c7db3c79abc7c2eff48aafbe17ff33fb57cd70352256e0a4236e079195607a
        • Instruction ID: cf502f0cbb8fe5aa89ef1c17caabb750e256612857e5abb91468b97b8f407d04
        • Opcode Fuzzy Hash: f3c7db3c79abc7c2eff48aafbe17ff33fb57cd70352256e0a4236e079195607a
        • Instruction Fuzzy Hash: 86310A72900208AFDF219FE0DD889DEBB79FF08341F00807AFA06F6550D73599549B99
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041A2D6 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadprocessCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B3E2: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004155AD), ref: 0041B438
          • Part of subcall function 0041B3E2: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 0041B453
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B46F
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B488
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 0041B4A2
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 0041B4BB
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B4D8
        • GetCurrentThread.KERNEL32 ref: 0041A2FD
        • GetThreadPriority.KERNEL32(00000000), ref: 0041A306
        • SetThreadPriority.KERNEL32(00000000,00000001), ref: 0041A312
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041A32C
        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0041A33D
        • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 0041A379
        • CloseHandle.KERNEL32(00000000), ref: 0041A394
        • Process32NextW.KERNEL32(?,0000022C), ref: 0041A3A4
        • CloseHandle.KERNEL32(?), ref: 0041A3B1
        • SetThreadPriority.KERNEL32(00000000,?), ref: 0041A3C4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Thread$HandlePriorityWrite$CloseCreateProcess32Read$CurrentFirstNamedNextOpenPipeProcessSnapshotStateToolhelp32
        • String ID: `)~
        • API String ID: 2144073875-1148047842
        • Opcode ID: 7240d483dabd21d0d14ad5f79255c455e8b0e020c1e74125bf11c45d519b8506
        • Instruction ID: 153aa94ebb1f0ac72bdbb5524f64284e8abc0e807d369a707a8b009372b485a1
        • Opcode Fuzzy Hash: 7240d483dabd21d0d14ad5f79255c455e8b0e020c1e74125bf11c45d519b8506
        • Instruction Fuzzy Hash: 95217A72901218ABCF21ABA1DD4DADE7F78EF00311F1000B6F906E2661D7785A95CBA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407FE4 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadprocessCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004090F0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004032BB), ref: 00409146
          • Part of subcall function 004090F0: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 00409161
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0040917D
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 00409196
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 004091B0
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 004091C9
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 004091E6
        • GetCurrentThread.KERNEL32 ref: 0040800B
        • GetThreadPriority.KERNEL32(00000000), ref: 00408014
        • SetThreadPriority.KERNEL32(00000000,00000001), ref: 00408020
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040803A
        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040804B
        • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 00408087
        • CloseHandle.KERNEL32(00000000), ref: 004080A2
        • Process32NextW.KERNEL32(?,0000022C), ref: 004080B2
        • CloseHandle.KERNEL32(?), ref: 004080BF
        • SetThreadPriority.KERNEL32(00000000,?), ref: 004080D2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Thread$HandlePriorityWrite$CloseCreateProcess32Read$CurrentFirstNamedNextOpenPipeProcessSnapshotStateToolhelp32
        • String ID: `)~
        • API String ID: 2144073875-1148047842
        • Opcode ID: 63454b4b0c1801f5505efcc0cda74eeda4514abcdd5bdeeb9b05cc1342bf3022
        • Instruction ID: e7365682ff4b1289a9742e4fe6ad2a11f85e8df3963605a47b6f15f8f999d1b1
        • Opcode Fuzzy Hash: 63454b4b0c1801f5505efcc0cda74eeda4514abcdd5bdeeb9b05cc1342bf3022
        • Instruction Fuzzy Hash: D9218D71900114ABCB30ABA1DE4DA9F7F78EF05351F1044BAF505F26A1DB785A48CBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040BC99 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 203stringnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrcpy.KERNEL32(?,?), ref: 0040BCAC
        • lstrlen.KERNEL32(?), ref: 0040BCB9
        • lstrcpy.KERNEL32(?,?), ref: 0040BCE5
        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0040BCF9
        • wnsprintfA.SHLWAPI ref: 0040BE57
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrcpy$InternetOpenlstrlenwnsprintf
        • String ID: *<input *value="$*<option selected$*<select $/$`)~
        • API String ID: 138785174-927106546
        • Opcode ID: 1ce9703034432eb3964d729d2572db0fb287ee85760e662ab985142d8359c13a
        • Instruction ID: d5ec4e00eb2eff3b2e4e7380ed54b229a58623e55543fbd92b92d0c6ea1782fe
        • Opcode Fuzzy Hash: 1ce9703034432eb3964d729d2572db0fb287ee85760e662ab985142d8359c13a
        • Instruction Fuzzy Hash: B561C072900209AFDF219BA4CD85FEF7BB8EB05304F1400BAE601B7291D7395E458BE9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041DF8B Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 203stringnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrcpy.KERNEL32(?,?), ref: 0041DF9E
        • lstrlen.KERNEL32(?), ref: 0041DFAB
        • lstrcpy.KERNEL32(?,?), ref: 0041DFD7
        • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 0041DFEB
        • wnsprintfA.SHLWAPI ref: 0041E149
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrcpy$InternetOpenlstrlenwnsprintf
        • String ID: *<input *value="$*<option selected$*<select $/$`)~
        • API String ID: 138785174-927106546
        • Opcode ID: 0c58d63bc03b187a687aa86935134ea936b1634b0e71bd7f1495cb54090996b5
        • Instruction ID: fc0ce6c183d93deeafc9dddb88ab45b80496cb72ba571a172bb95d39ecc70d11
        • Opcode Fuzzy Hash: 0c58d63bc03b187a687aa86935134ea936b1634b0e71bd7f1495cb54090996b5
        • Instruction Fuzzy Hash: 906101B2900209BFDF219BA5CC85BFE7BB8EB45300F1400BAE905A7251D7785E858B98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041A440 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 142registryCOMMON
        Download Yara Rule
        APIs
        • SetEvent.KERNEL32 ref: 0041A45D
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 0041A4A6
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 0041A4BE
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 0041A4E6
        • RegCloseKey.ADVAPI32(?), ref: 0041A50F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: QueryValue$CloseCreateEvent
        • String ID: `)~
        • API String ID: 3176241675-1148047842
        • Opcode ID: 12e8b5de1e84e4e492ebdcb9aeb5b8a94ad4f4d8b4f5383e81ba3f995cb75896
        • Instruction ID: 4922a7244e5e69a489888e6a0dbe75d7a948455c1b0aaeb3254e237146d93445
        • Opcode Fuzzy Hash: 12e8b5de1e84e4e492ebdcb9aeb5b8a94ad4f4d8b4f5383e81ba3f995cb75896
        • Instruction Fuzzy Hash: F2414871211108FFEB21DFA5CD84EEA7BB9EB44300F10043AF845E6161E774AAA4DB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040814E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 142registryCOMMON
        Download Yara Rule
        APIs
        • SetEvent.KERNEL32 ref: 0040816B
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 004081B4
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004081CC
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 004081F4
        • RegCloseKey.ADVAPI32(?), ref: 0040821D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: QueryValue$CloseCreateEvent
        • String ID: `)~
        • API String ID: 3176241675-1148047842
        • Opcode ID: 7deb05ab0d081af0dae20f296c8e37ffe8be340958d7097eba63c32c3c29ecbb
        • Instruction ID: 05a652526c4d132eb7713111aecb9f07951e7fddcf8e850004060a1973840797
        • Opcode Fuzzy Hash: 7deb05ab0d081af0dae20f296c8e37ffe8be340958d7097eba63c32c3c29ecbb
        • Instruction Fuzzy Hash: 4B415A71600509EFDF20DF95CE84EAA7BB8EF45300F1004BEF881E61A1DB74AA44DB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041FE3A Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132networkstringCOMMON
        Download Yara Rule
        APIs
        • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0041FE55
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0041FE78
          • Part of subcall function 0041E876: lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,0041F65C,?,00000005), ref: 0041E896
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0041FE89
        • HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0041FEAA
        • SetLastError.KERNEL32(00002F78), ref: 0041FEEA
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041FF5F
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0041FFA6
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0041FFCD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeaveQuerylstrlen$ErrorHttpInfoInternetLastOption
        • String ID: -!-@hj01N./1@};|$`)~
        • API String ID: 200392079-1468696231
        • Opcode ID: b5e7869add5888ef5f9650c563a31bc9d01a8ce5c13e3367d2b95172bbccebcb
        • Instruction ID: d74ea7760ffedd568953841acc816eb91c13215c9eef1765ccb87aa8736b14e4
        • Opcode Fuzzy Hash: b5e7869add5888ef5f9650c563a31bc9d01a8ce5c13e3367d2b95172bbccebcb
        • Instruction Fuzzy Hash: 2041D4B1144704AED7209B31CD45BDB7BA8EF05314F14043FF60A962A2DB78698BCB6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040DB48 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132networkstringCOMMON
        Download Yara Rule
        APIs
        • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040DB63
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0040DB86
          • Part of subcall function 0040C584: lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,0040D36A,?,00000005), ref: 0040C5A4
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0040DB97
        • HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0040DBB8
        • SetLastError.KERNEL32(00002F78), ref: 0040DBF8
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040DC6D
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0040DCB4
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0040DCDB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeaveQuerylstrlen$ErrorHttpInfoInternetLastOption
        • String ID: -!-@hj01N./1@};|$`)~
        • API String ID: 200392079-1468696231
        • Opcode ID: b5e7869add5888ef5f9650c563a31bc9d01a8ce5c13e3367d2b95172bbccebcb
        • Instruction ID: 00577a7943322a8b3853713973c239923bb0a254fac4d50c296f901d9624e4cf
        • Opcode Fuzzy Hash: b5e7869add5888ef5f9650c563a31bc9d01a8ce5c13e3367d2b95172bbccebcb
        • Instruction Fuzzy Hash: 7041C3B1504700AFE720AFA1DD45BA73BA9EF05300F14043FF54AA62D2DB79A949CB6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041E431 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 395stringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(?), ref: 0041E499
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041E4E3
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041E527
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: %%0%uu$`)~
        • API String ID: 1659193697-1685184796
        • Opcode ID: 33ba563563bea3b400ce71b65ec87d1a3c234cc724266c63d8330f55472f83c8
        • Instruction ID: 3eca488d17e70f350b1a0abf1d05e83dd232d4ecf2952426d7eae7dd421b89b4
        • Opcode Fuzzy Hash: 33ba563563bea3b400ce71b65ec87d1a3c234cc724266c63d8330f55472f83c8
        • Instruction Fuzzy Hash: 72E127B5D00209AFDF11DFA5C845BFEBBF5EF05308F14406AE841A7241D739AA86CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040C13F Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 395stringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(?), ref: 0040C1A7
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040C1F1
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040C235
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: %%0%uu$`)~
        • API String ID: 1659193697-1685184796
        • Opcode ID: 6322b0217b1bfe78763ef96172c96011ff10bd68113704f71c1fb8f66897ea2c
        • Instruction ID: 699b31af9f14df6d9949250f9602f07ac6e266d1ef85c6dc48400adc324229a0
        • Opcode Fuzzy Hash: 6322b0217b1bfe78763ef96172c96011ff10bd68113704f71c1fb8f66897ea2c
        • Instruction Fuzzy Hash: 22E1CF71D04219EFCF11DBA4C985BFEBBB5AF05304F1481AAE881B7281D739A945CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040D852 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254networkstringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(00000001,?,?,00000000,00000000,00000002), ref: 0040D8D1
        • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0040D939
        • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040D9B4
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0040DA83
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0040DA9D
        • HttpQueryInfoA.WININET(?,80000023,?,?,00000000), ref: 0040DAC2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalHttpInfoQuerySection$CrackEnterInternetLeavelstrlen
        • String ID: -$1$`)~
        • API String ID: 2196631775-2802213293
        • Opcode ID: 0b8c1a35232732a8e57a250ee2befc757abc47edf4ebcd5a641ea09e7cd469d7
        • Instruction ID: cf7bfe7b3a2ad3566e8f40a457ab3f4a5ca691f9cea12f95ec1e0f0682098efe
        • Opcode Fuzzy Hash: 0b8c1a35232732a8e57a250ee2befc757abc47edf4ebcd5a641ea09e7cd469d7
        • Instruction Fuzzy Hash: AF91C4B1D04249AEEB219BE4CC45BEF7BF8AF05304F14807FE255B22D1DA785989CB19
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041FB44 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254networkstringCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(00000001,?,?,00000000,00000000,00000002), ref: 0041FBC3
        • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0041FC2B
        • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0041FCA6
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0041FD75
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0041FD8F
        • HttpQueryInfoA.WININET(?,80000023,?,?,00000000), ref: 0041FDB4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalHttpInfoQuerySection$CrackEnterInternetLeavelstrlen
        • String ID: -$1$`)~
        • API String ID: 2196631775-2802213293
        • Opcode ID: 5eeae010d27503a0205466a0676f048c0887f7e01c0860b75152d66743a06a43
        • Instruction ID: 5eee4dc120f0a476823085a4e5f480c27fc48007f6600ce07e578a2e2eded251
        • Opcode Fuzzy Hash: 5eeae010d27503a0205466a0676f048c0887f7e01c0860b75152d66743a06a43
        • Instruction Fuzzy Hash: 45911871904249AEEB219BA0DC89BFF77F8EF00304F14407BE545A2291E77869CACB59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00416CC3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • FindFirstUrlCacheEntryA.WININET(?,00000000,?), ref: 00416CF5
        • DeleteUrlCacheEntry.WININET(?), ref: 00416D05
        • FindNextUrlCacheEntryA.WININET(?,00000000,?), ref: 00416D21
        • FindCloseUrlCache.WININET(?), ref: 00416D2E
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00416D48
        • PathCombineW.SHLWAPI(?,?,Macromedia\Flash Player), ref: 00416D62
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Cache$EntryFind$Path$AllocateCloseCombineDeleteFirstFolderHeapNextSpecial
        • String ID: *.sol$Macromedia\Flash Player$`)~
        • API String ID: 1263512166-689784135
        • Opcode ID: 3ac89f5c0976a2ccc6e68fa3b9ddc6e0295972a7686d4ba7ac4a6893b9ef713f
        • Instruction ID: 9a584535d2737f53614830065497f6fd66761d423b4fe37fdf663e9a03cb8d32
        • Opcode Fuzzy Hash: 3ac89f5c0976a2ccc6e68fa3b9ddc6e0295972a7686d4ba7ac4a6893b9ef713f
        • Instruction Fuzzy Hash: A4115472A44208BFD7109FA5ED9AFDA7BBCEF04751F10007BF104E2190D779A9858B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004049D1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • FindFirstUrlCacheEntryA.WININET(?,00000000,?), ref: 00404A03
        • DeleteUrlCacheEntry.WININET(?), ref: 00404A13
        • FindNextUrlCacheEntryA.WININET(?,00000000,?), ref: 00404A2F
        • FindCloseUrlCache.WININET(?), ref: 00404A3C
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00404A56
        • PathCombineW.SHLWAPI(?,?,Macromedia\Flash Player), ref: 00404A70
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Cache$EntryFind$Path$AllocateCloseCombineDeleteFirstFolderHeapNextSpecial
        • String ID: *.sol$Macromedia\Flash Player$`)~
        • API String ID: 1263512166-689784135
        • Opcode ID: 2cc1bfda979d63f35028120bf95c21ba5dd5f4cfed8f2aa7bb261205e45ee8ac
        • Instruction ID: 524118a535cf4a623e165a6b81826ebafd33b79f9743c4b9184ca8f00936259f
        • Opcode Fuzzy Hash: 2cc1bfda979d63f35028120bf95c21ba5dd5f4cfed8f2aa7bb261205e45ee8ac
        • Instruction Fuzzy Hash: 83113D72A44208AFD710DBA5ED4AFAA7BBCEB44751F10007BF504F25A0DB75A9448F58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004160CD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThread.KERNEL32 ref: 004160D7
        • SetThreadPriority.KERNEL32(00000000), ref: 004160DE
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 004160F0
        • GetLogicalDrives.KERNEL32 ref: 00416108
        • GetDriveTypeW.KERNEL32(?), ref: 00416142
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00416162
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00416177
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ObjectSingleWait$Thread$CurrentDriveDrivesLogicalPriorityType
        • String ID: :$\
        • API String ID: 3796857172-1166558509
        • Opcode ID: e80a0fe8ad7a2a3b54afe4df97d8a44c224217f04f144c2fde51555fcc02d1f5
        • Instruction ID: 3bd0c8e80aa9e2b671159b5ee715633ca92c27a62e16785078b612b2a9f52578
        • Opcode Fuzzy Hash: e80a0fe8ad7a2a3b54afe4df97d8a44c224217f04f144c2fde51555fcc02d1f5
        • Instruction Fuzzy Hash: A511D332900204BBDB209B65DD4DEDB7BB8FF41310B18443AE816E2662D739D5C5DB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403DDB Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67synchronizationthreadCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThread.KERNEL32 ref: 00403DE5
        • SetThreadPriority.KERNEL32(00000000), ref: 00403DEC
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00403DFE
        • GetLogicalDrives.KERNEL32 ref: 00403E16
        • GetDriveTypeW.KERNEL32(?), ref: 00403E50
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00403E70
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00403E85
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ObjectSingleWait$Thread$CurrentDriveDrivesLogicalPriorityType
        • String ID: :$\
        • API String ID: 3796857172-1166558509
        • Opcode ID: e80a0fe8ad7a2a3b54afe4df97d8a44c224217f04f144c2fde51555fcc02d1f5
        • Instruction ID: f43838d2c33a4ff41a6ae38f20c8a0500f1cfb5f0a028c4dbb7994018915e2ea
        • Opcode Fuzzy Hash: e80a0fe8ad7a2a3b54afe4df97d8a44c224217f04f144c2fde51555fcc02d1f5
        • Instruction Fuzzy Hash: B9110332500204ABDB209F61DD4CE9B3FBCFF41312B14453AE816E22A0D7389684DBD8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004090F0 Relevance: 15.1, APIs: 10, Instructions: 142filepipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00408F21: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 00408F2A
          • Part of subcall function 00408F21: lstrcpyW.KERNEL32(?,?), ref: 00408F38
        • WaitNamedPipeW.KERNEL32(?,000000FF), ref: 0040912E
        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004032BB), ref: 00409146
        • SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 00409161
        • WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0040917D
        • WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 00409196
        • WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 004091B0
        • ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 004091C9
        • ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 004091E6
        • ReadFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 00409213
        • CloseHandle.KERNEL32(00000000), ref: 0040924B
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$ReadWrite$HandleNamedPipelstrcpy$CloseCreateStateWait
        • String ID:
        • API String ID: 861822880-0
        • Opcode ID: 3228348a7e8aefae4dc21cc4b7600af2403e7f7b35427f533b420e9b184343b3
        • Instruction ID: 0f4181e92a6966e3bd0f21da7826e29468a9f8452b20c224eb824d3a02bc2e02
        • Opcode Fuzzy Hash: 3228348a7e8aefae4dc21cc4b7600af2403e7f7b35427f533b420e9b184343b3
        • Instruction Fuzzy Hash: 91411772900119BBDB219F94DC88AEF7B7CAF46310F0049BAF912F21D1D7349E498A65
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041B3E2 Relevance: 15.1, APIs: 10, Instructions: 142filepipeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B213: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 0041B21C
          • Part of subcall function 0041B213: lstrcpyW.KERNEL32(?,?), ref: 0041B22A
        • WaitNamedPipeW.KERNEL32(?,000000FF), ref: 0041B420
        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004155AD), ref: 0041B438
        • SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 0041B453
        • WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B46F
        • WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B488
        • WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 0041B4A2
        • ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 0041B4BB
        • ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B4D8
        • ReadFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 0041B505
        • CloseHandle.KERNEL32(00000000), ref: 0041B53D
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$ReadWrite$HandleNamedPipelstrcpy$CloseCreateStateWait
        • String ID:
        • API String ID: 861822880-0
        • Opcode ID: fed6f9f50a6655c8b312733f56f83187bd28f1428edba0aaa9b7c3a24c64807f
        • Instruction ID: 36b6a6a29a5fa5b24c028e943edc295c90cdfa90bf34ac76bfec9d21cd9ce1bf
        • Opcode Fuzzy Hash: fed6f9f50a6655c8b312733f56f83187bd28f1428edba0aaa9b7c3a24c64807f
        • Instruction Fuzzy Hash: 9A414D72900219BBDB219F95ED889FF7B7DEF05354F0041BAF512E22A1D7348A85CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00416D7F Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 319libraryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(?,?), ref: 00416DB1
        • GetProcAddress.KERNEL32(00000000), ref: 00416DB8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: Z%a$`)~
        • API String ID: 2574300362-4223963740
        • Opcode ID: 21498c05db2030628e4f6ddb119525e62d4f582c03d5064e39fa0efe5d723617
        • Instruction ID: bf1c728cc7e1b2eded4f41e73afbacb623f00c1462402f48f5bfa95ac28771f9
        • Opcode Fuzzy Hash: 21498c05db2030628e4f6ddb119525e62d4f582c03d5064e39fa0efe5d723617
        • Instruction Fuzzy Hash: 2FC16C71A04208EFDB10DFA4CC84EEEBBB9FF48304F14846AE505AB251D775AD86CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404A8D Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 319libraryloaderCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNEL32(?,?), ref: 00404ABF
        • GetProcAddress.KERNEL32(00000000), ref: 00404AC6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: Z%a$`)~
        • API String ID: 2574300362-4223963740
        • Opcode ID: 404790775e485383e57479f8938291dbdcd4c8cd2d2d5e04a091844275ae7da3
        • Instruction ID: cc298b43fceb464ca2a7e805f975739bf2f3059eb7ff8a542e40491494d980ef
        • Opcode Fuzzy Hash: 404790775e485383e57479f8938291dbdcd4c8cd2d2d5e04a091844275ae7da3
        • Instruction Fuzzy Hash: 95C15DB1904209EFEB10DFE4CD84EAEBBB9FF88304F14846AE501B7291D675AD45CB64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004202DD Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289stringCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(004102E0), ref: 004203A9
        • RtlLeaveCriticalSection.NTDLL(004102E0), ref: 00420428
        • RtlEnterCriticalSection.NTDLL(004102E0), ref: 00420462
        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004205D9
        • lstrlen.KERNEL32(?), ref: 004205E4
        • RtlLeaveCriticalSection.NTDLL(004102E0), ref: 0042062B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeavelstrlen
        • String ID: RES$`)~
        • API String ID: 3224049430-2621725692
        • Opcode ID: e4f171a16ec1ccea9fc3c1cc9328afd4d59a5668976797114648ba4c867f71ea
        • Instruction ID: 204abe21073374c11030b9391f571d8673b67700860c5a88f505a145a08028d9
        • Opcode Fuzzy Hash: e4f171a16ec1ccea9fc3c1cc9328afd4d59a5668976797114648ba4c867f71ea
        • Instruction Fuzzy Hash: 48A13531A00225AFDB319B64ED49ABB7BE5AB44304F84817BF94496253D73C9C91CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040DFEB Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289stringCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(004102E0), ref: 0040E0B7
        • RtlLeaveCriticalSection.NTDLL(004102E0), ref: 0040E136
        • RtlEnterCriticalSection.NTDLL(004102E0), ref: 0040E170
        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040E2E7
        • lstrlen.KERNEL32(?), ref: 0040E2F2
        • RtlLeaveCriticalSection.NTDLL(004102E0), ref: 0040E339
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalSection$EnterLeavelstrlen
        • String ID: RES$`)~
        • API String ID: 3224049430-2621725692
        • Opcode ID: 11d1d26f4f71169f1b10cc39c9b577ecbfb5ad35ebeaaa8b739eb40d355f3a09
        • Instruction ID: f2caba9a22f38e49066fb0110c2672912c7558f74ad2d2f64d7f474336af2d28
        • Opcode Fuzzy Hash: 11d1d26f4f71169f1b10cc39c9b577ecbfb5ad35ebeaaa8b739eb40d355f3a09
        • Instruction Fuzzy Hash: 57A12531900246EFDF209B66CD45AAB7BA9AF01300F08497BE854BB3D2D73C9C618B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041F669 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 247stringthreadnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041F6FD
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041F73D
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041F778
        • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 0041F839
        • CreateThread.KERNEL32(00000000,00000000,Function_0000D184,?,00000000,00000000), ref: 0041F887
        • CloseHandle.KERNEL32(?), ref: 0041F8FD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen$CloseCrackCreateHandleInternetThread
        • String ID: <$=-=-PaNdA!$2+)(*
        • API String ID: 3540232792-285116904
        • Opcode ID: 7bf480c7204060c679018d373fc066b99004dad02f98dceaae70c986238e015e
        • Instruction ID: 8ce012c5179dfb2dbfa6e753026c0a653fffdbd1e16524e2ff845ad385f20f66
        • Opcode Fuzzy Hash: 7bf480c7204060c679018d373fc066b99004dad02f98dceaae70c986238e015e
        • Instruction Fuzzy Hash: 6B8182B1C00209BEDF10ABA5CC85AFEBBB9EF04314F14416BF555E2191E73899D9CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040D377 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 247stringthreadnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040D40B
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040D44B
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040D486
        • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 0040D547
        • CreateThread.KERNEL32(00000000,00000000,Function_0000D184,?,00000000,00000000), ref: 0040D595
        • CloseHandle.KERNEL32(?), ref: 0040D60B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen$CloseCrackCreateHandleInternetThread
        • String ID: <$=-=-PaNdA!$2+)(*
        • API String ID: 3540232792-285116904
        • Opcode ID: f91c2f922cae47cfc210d9b7ff364899aeaeeb794b366e5b6dc583ce8af199b7
        • Instruction ID: 4cd96c1c644d3ee76f7cffc5fb68d7349b67e9e40d3fb521ca15ef363d56812f
        • Opcode Fuzzy Hash: f91c2f922cae47cfc210d9b7ff364899aeaeeb794b366e5b6dc583ce8af199b7
        • Instruction Fuzzy Hash: A68193B1C00209AEDF10ABA5CC45ABFBBB8EF04314F54457AF555F21D1E73999888B68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040604E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192networkstringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004034EE: CloseHandle.KERNEL32(004036C0,?), ref: 004034F4
          • Part of subcall function 004034EE: GetCurrentThread.KERNEL32 ref: 00403528
          • Part of subcall function 004034EE: SetThreadPriority.KERNEL32(00000000), ref: 0040352F
        • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004060CF
        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406109
        • lstrcpy.KERNEL32(00000002,?), ref: 004061B4
        • HttpOpenRequestA.WININET(?,POST,00000000,00000000,00000000,00000000,846CF300,00000000), ref: 004061CE
        • HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 004061E3
          • Part of subcall function 00405881: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00405898
          • Part of subcall function 00405881: InternetReadFile.WININET(?,?,?,?), ref: 004058B5
        • InternetCloseHandle.WININET(00000000), ref: 0040622D
        • InternetCloseHandle.WININET(?), ref: 00406246
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Internet$CloseHandle$HttpRequestThread$ConnectCrackCurrentFileObjectOpenPriorityReadSendSingleWaitlstrcpy
        • String ID: POST
        • API String ID: 3680121952-1814004025
        • Opcode ID: 12763b395bd6aa76c11ca02251217c9648bb45a43f0e85ee4fc5720324776010
        • Instruction ID: 32f864d70aac4a85b9d8d50cf314c7ba6faf57b443366ff75cd0c7499d819185
        • Opcode Fuzzy Hash: 12763b395bd6aa76c11ca02251217c9648bb45a43f0e85ee4fc5720324776010
        • Instruction Fuzzy Hash: 00519D72900259ABDF21AF90DC859EFBB78EF05345F14007FE801B6291DB394E95CBA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418340 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 192networkstringCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004157E0: CloseHandle.KERNEL32(004159B2,?), ref: 004157E6
          • Part of subcall function 004157E0: GetCurrentThread.KERNEL32 ref: 0041581A
          • Part of subcall function 004157E0: SetThreadPriority.KERNEL32(00000000), ref: 00415821
        • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 004183C1
        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004183FB
        • lstrcpy.KERNEL32(00000002,?), ref: 004184A6
        • HttpOpenRequestA.WININET(?,POST,00000000,00000000,00000000,00000000,846CF300,00000000), ref: 004184C0
        • HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 004184D5
          • Part of subcall function 00417B73: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00417B8A
          • Part of subcall function 00417B73: InternetReadFile.WININET(?,?,?,?), ref: 00417BA7
        • InternetCloseHandle.WININET(00000000), ref: 0041851F
        • InternetCloseHandle.WININET(?), ref: 00418538
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Internet$CloseHandle$HttpRequestThread$ConnectCrackCurrentFileObjectOpenPriorityReadSendSingleWaitlstrcpy
        • String ID: POST
        • API String ID: 3680121952-1814004025
        • Opcode ID: 19d0c3a5d566856e8ea13c0898cbe3677ccc0c0dd7bde7dcbf181ab2139958c1
        • Instruction ID: c149e46856d0b628d8d81883508a060d51e073fac0915620bca43604fbd1c460
        • Opcode Fuzzy Hash: 19d0c3a5d566856e8ea13c0898cbe3677ccc0c0dd7bde7dcbf181ab2139958c1
        • Instruction Fuzzy Hash: 615158B2900259BBDF21AFA0DD859EFBB79EF04349F14006FF401B2251DB395A85CB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040387A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147stringnetworksynchronizationCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(0040F7B0), ref: 0040388A
        • lstrcpyW.KERNEL32(?), ref: 004038C8
        • lstrcatW.KERNEL32(?,?), ref: 004038DD
        • InternetOpenUrlA.WININET(?,00000000,00000000,84043300,00000000), ref: 004038F9
        • WaitForSingleObject.KERNEL32(00002710), ref: 00403994
        • InternetOpenUrlA.WININET(00000000,00000000,00000000,84043300,00000000), ref: 004039AD
          • Part of subcall function 00408E5D: RtlFreeHeap.NTDLL(00000000,00000000,00403218,00000001), ref: 00408E70
        • RtlLeaveCriticalSection.NTDLL(0040F7B0), ref: 004039FC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalInternetOpenSection$EnterFreeHeapLeaveObjectSingleWaitlstrcatlstrcpy
        • String ID: `)~
        • API String ID: 3239308463-1148047842
        • Opcode ID: 6b26b821ca458f8bc0973d7b383ce6706a14a38dd6f12c3e6ce70e1de3f585b2
        • Instruction ID: 0d5b85eac16343af62d42ccf80a2bab6cc8d2c33daa58fbbb8ea1cd0fa0300a0
        • Opcode Fuzzy Hash: 6b26b821ca458f8bc0973d7b383ce6706a14a38dd6f12c3e6ce70e1de3f585b2
        • Instruction Fuzzy Hash: B44124B2904105BFDF306FA1DD8ADAF7F2CEB0031AB14007BF444B25D1DA3A5E498A69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00415B6C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147stringnetworksynchronizationCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(0040F7B0), ref: 00415B7C
        • lstrcpyW.KERNEL32(?), ref: 00415BBA
        • lstrcatW.KERNEL32(?,?), ref: 00415BCF
        • InternetOpenUrlA.WININET(?,00000000,00000000,84043300,00000000), ref: 00415BEB
        • WaitForSingleObject.KERNEL32(00002710), ref: 00415C86
        • InternetOpenUrlA.WININET(00000000,00000000,00000000,84043300,00000000), ref: 00415C9F
          • Part of subcall function 0041B14F: HeapFree.KERNEL32(00000000,00000000,0041550A,00000001), ref: 0041B162
        • RtlLeaveCriticalSection.NTDLL(0040F7B0), ref: 00415CEE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalInternetOpenSection$EnterFreeHeapLeaveObjectSingleWaitlstrcatlstrcpy
        • String ID: `)~
        • API String ID: 3239308463-1148047842
        • Opcode ID: edce8ff4219ddac8ce72482b6dd53c0df93b95764d9c90f751465db0aa850f2e
        • Instruction ID: 9784bef67f61df4ec7df284eebadedb3aeafab1153d496ec56e79a5a6ddf0ee4
        • Opcode Fuzzy Hash: edce8ff4219ddac8ce72482b6dd53c0df93b95764d9c90f751465db0aa850f2e
        • Instruction Fuzzy Hash: EC410672804609FFDF206F60ED89DEF7B79EB80318B14007BF404A2691E6395DC59AE9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041560D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70stringtimeCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CertImportStoreSystemTimelstrcatlstrlenwnsprintf
        • String ID: .txt$`)~$grb
        • API String ID: 3057540157-3226037400
        • Opcode ID: 7879e4c8ab9e27112c878dab2a996f436f7da189b0dd622109323d2ce9135532
        • Instruction ID: 01cc17e44de35fbcfe7a0f8ce54c6caab40c143548f122c1b4079c1c498be9f1
        • Opcode Fuzzy Hash: 7879e4c8ab9e27112c878dab2a996f436f7da189b0dd622109323d2ce9135532
        • Instruction Fuzzy Hash: E0214F72900708ABDB219BE5DD49EDA73BDAF48705F044436BA58E3160D73D9888CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040331B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70stringtimeCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CertImportStoreSystemTimelstrcatlstrlenwnsprintf
        • String ID: .txt$`)~$grb
        • API String ID: 3057540157-3226037400
        • Opcode ID: 7879e4c8ab9e27112c878dab2a996f436f7da189b0dd622109323d2ce9135532
        • Instruction ID: bb7b6402e7ac3b3effa1c11d9fb3c10af9062d7af78ddfb50b36a696e56ddd13
        • Opcode Fuzzy Hash: 7879e4c8ab9e27112c878dab2a996f436f7da189b0dd622109323d2ce9135532
        • Instruction Fuzzy Hash: B7219672500208ABDB309FD4ED48E9B77ACEF48701F044436BD55E3190DB79E948C764
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041A89B Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 176stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: &i=$&lcp=$&n=$&pr=$&s=$&sp=$&v=
        • API String ID: 1659193697-1780237566
        • Opcode ID: d2075e31df40ec7e4cc37f88fca0c29806bbf98e560a8c11d9bbdd6785b669ee
        • Instruction ID: 33d6eb2846cc61ffa3853b0fb89a8a8a4f35e015d76470a981f8864866113fcc
        • Opcode Fuzzy Hash: d2075e31df40ec7e4cc37f88fca0c29806bbf98e560a8c11d9bbdd6785b669ee
        • Instruction Fuzzy Hash: 0351D2B68402457EDB01EBA5DC52EFB37ACFF15748F04043BB981E3161E67898598BB8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004085A9 Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 176stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: &i=$&lcp=$&n=$&pr=$&s=$&sp=$&v=
        • API String ID: 1659193697-1780237566
        • Opcode ID: d2075e31df40ec7e4cc37f88fca0c29806bbf98e560a8c11d9bbdd6785b669ee
        • Instruction ID: 98774508b8a035cde5116ebc5689c9d0629f10a91bbe3444886611f51d9cca31
        • Opcode Fuzzy Hash: d2075e31df40ec7e4cc37f88fca0c29806bbf98e560a8c11d9bbdd6785b669ee
        • Instruction Fuzzy Hash: 6851B1B25002057EDB12EFA5DD46EFB37ACAB05704F04443FBA94F7191EA7895048BB8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041F9A2 Relevance: 13.6, APIs: 9, Instructions: 104networkfileCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0041F9B0
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0041FA22
        • InternetQueryOptionA.WININET(?,0000002D,00000000,?), ref: 0041FA4A
        • InternetSetOptionA.WININET(?,0000002D,00000000,00000004), ref: 0041FA60
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0041FA6A
        • InternetReadFile.WININET(?,?,?,?), ref: 0041FA80
        • InternetReadFileExA.WININET(?,?,?,?), ref: 0041FA98
        • InternetReadFileExW.WININET(?,?,?,?), ref: 0041FAAA
        • InternetQueryDataAvailable.WININET(?,?,?,?), ref: 0041FAB6
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Internet$CriticalFileReadSection$LeaveOptionQuery$AvailableDataEnter
        • String ID:
        • API String ID: 1566214694-0
        • Opcode ID: 12993b84451e3f022f39ab0ac84cd116bc7e24eff4f66fe188cb238cac8350d0
        • Instruction ID: 7ccb2623c46be11e8217e1bca8ef1d75f4f50e8cbf74c7b91917fd795ce9aa7e
        • Opcode Fuzzy Hash: 12993b84451e3f022f39ab0ac84cd116bc7e24eff4f66fe188cb238cac8350d0
        • Instruction Fuzzy Hash: CD318072500248BFDF218FA0DD49FEA7F79AF08394F14407AF905A21A1C37D99DA9B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040D6B0 Relevance: 13.6, APIs: 9, Instructions: 104networkfileCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(004102C4), ref: 0040D6BE
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0040D730
        • InternetQueryOptionA.WININET(?,0000002D,00000000,?), ref: 0040D758
        • InternetSetOptionA.WININET(?,0000002D,00000000,00000004), ref: 0040D76E
        • RtlLeaveCriticalSection.NTDLL(004102C4), ref: 0040D778
        • InternetReadFile.WININET(?,?,?,?), ref: 0040D78E
        • InternetReadFileExA.WININET(?,?,?,?), ref: 0040D7A6
        • InternetReadFileExW.WININET(?,?,?,?), ref: 0040D7B8
        • InternetQueryDataAvailable.WININET(?,?,?,?), ref: 0040D7C4
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Internet$CriticalFileReadSection$LeaveOptionQuery$AvailableDataEnter
        • String ID:
        • API String ID: 1566214694-0
        • Opcode ID: 12993b84451e3f022f39ab0ac84cd116bc7e24eff4f66fe188cb238cac8350d0
        • Instruction ID: e55d33e42ef1e7329eac69ad83b58b5a1dcd6e80cbb8bbe2603f84a2d41c0f6b
        • Opcode Fuzzy Hash: 12993b84451e3f022f39ab0ac84cd116bc7e24eff4f66fe188cb238cac8350d0
        • Instruction Fuzzy Hash: 66317C72800249FFDF228FA0CD89FAA7F79AB08344F14057AF901721A1C3799998DB94
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418E00 Relevance: 13.6, APIs: 9, Instructions: 87sleepsynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BBC6: GetProcessTimes.KERNEL32(?,?,?,?,004164B8,?,?,?,?,004164B8,00000002,?), ref: 0041BBDF
          • Part of subcall function 0041BBC6: wnsprintfW.SHLWAPI ref: 0041BC01
        • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 00418E46
        • CloseHandle.KERNEL32(00000000), ref: 00418E51
        • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 00418E67
        • CreateMutexW.KERNEL32(0040FE78,00000001,?), ref: 00418E7F
        • CloseHandle.KERNEL32(?), ref: 00418EA5
        • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 00418EC6
        • Sleep.KERNEL32(00000014), ref: 00418ED2
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00418EDD
        • CloseHandle.KERNEL32(00000000), ref: 00418EEA
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Mutex$CloseHandleOpen$Process$CodeCreateExitSleepTimeswnsprintf
        • String ID:
        • API String ID: 3355469312-0
        • Opcode ID: 41f8739e3f695d46b3f4793d2f93d0d09b731fe8008a10d48392c82a3fa46f66
        • Instruction ID: 96ba0cd36e69681475372e0085548be66537808327c91db72c56ec17219573c5
        • Opcode Fuzzy Hash: 41f8739e3f695d46b3f4793d2f93d0d09b731fe8008a10d48392c82a3fa46f66
        • Instruction Fuzzy Hash: 462180B1500209BBDB209BA09D88EFE777DEF55305F00447AF605E2510DB785EC99A69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406B0E Relevance: 13.6, APIs: 9, Instructions: 87sleepsynchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004098D4: GetProcessTimes.KERNEL32(?,?,?,?,004041C6,?,?,?,?,004041C6,00000002,?), ref: 004098ED
          • Part of subcall function 004098D4: wnsprintfW.SHLWAPI ref: 0040990F
        • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 00406B54
        • CloseHandle.KERNEL32(00000000), ref: 00406B5F
        • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 00406B75
        • CreateMutexW.KERNEL32(0040FE78,00000001,?), ref: 00406B8D
        • CloseHandle.KERNEL32(?), ref: 00406BB3
        • OpenMutexW.KERNEL32(001F0001,00000000,?), ref: 00406BD4
        • Sleep.KERNEL32(00000014), ref: 00406BE0
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00406BEB
        • CloseHandle.KERNEL32(00000000), ref: 00406BF8
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Mutex$CloseHandleOpen$Process$CodeCreateExitSleepTimeswnsprintf
        • String ID:
        • API String ID: 3355469312-0
        • Opcode ID: 4186da7724976659e4d5288faed6adc403de83cd85240592ce3d0dbb9706e357
        • Instruction ID: 969aa6a828c5e9aad85975d7db1772bdd4a0bba593d0626d03bfeb153e9f843c
        • Opcode Fuzzy Hash: 4186da7724976659e4d5288faed6adc403de83cd85240592ce3d0dbb9706e357
        • Instruction Fuzzy Hash: D82162B1500119BBDB20AF609D89EFE777CEF15305F00407AF602F2590D7789E999B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A3A2 Relevance: 13.6, APIs: 9, Instructions: 85synchronizationpipethreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00408F21: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 00408F2A
          • Part of subcall function 00408F21: lstrcpyW.KERNEL32(?,?), ref: 00408F38
          • Part of subcall function 00408E3F: RtlAllocateHeap.NTDLL(00000008,?,0040323C), ref: 00408E53
        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00000200,00000200,00000000,00000000,0040F3D0,00000000), ref: 0040A3EC
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A406
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040A413
        • CreateThread.KERNEL32(00000000,00000000,00408F40,00000000,00000000,00000000), ref: 0040A438
        • CloseHandle.KERNEL32(00000000), ref: 0040A444
        • CloseHandle.KERNEL32(?), ref: 0040A44D
        • CloseHandle.KERNEL32(?), ref: 0040A456
          • Part of subcall function 00408E5D: RtlFreeHeap.NTDLL(00000000,00000000,00403218,00000001), ref: 00408E70
        • CloseHandle.KERNEL32(00000000), ref: 0040A46E
        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040A479
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateHandle$EventHeaplstrcpy$AllocateFreeNamedObjectPipeSingleThreadWait
        • String ID:
        • API String ID: 2368775089-0
        • Opcode ID: d66b614b628d70826475bab8cb7e98902e87881c61ec60975857e11c258c7b5a
        • Instruction ID: 75b3f87604fc0912f0d9602cf4dbe7d34a130b34ec4a480328faa5120d330165
        • Opcode Fuzzy Hash: d66b614b628d70826475bab8cb7e98902e87881c61ec60975857e11c258c7b5a
        • Instruction Fuzzy Hash: 1F218C31500301BBCB306B32DD0DD5B7BB9EF82B11B10493EF5A6E15E0DB7898559BA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00415956 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186threadnetworkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BCA2: PathCombineW.SHLWAPI(?,?,007E2960), ref: 0041BCC7
          • Part of subcall function 0041BCA2: CreateDirectoryW.KERNEL32(?,00000000), ref: 0041BCD6
          • Part of subcall function 0041BCA2: SetFileAttributesW.KERNEL32(?,00000006), ref: 0041BCE5
          • Part of subcall function 00417C33: HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 00417C5B
          • Part of subcall function 00417C33: CreateFileW.KERNEL32(000000C8,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00417C88
          • Part of subcall function 00417C33: WaitForSingleObject.KERNEL32(00415976,00000000), ref: 00417CA0
          • Part of subcall function 00417C33: InternetReadFile.WININET(00000004,?,00000400,00000004), ref: 00417CBD
          • Part of subcall function 00417C33: WriteFile.KERNEL32(00000000,?,00000004,00415976,00000000), ref: 00417CE0
          • Part of subcall function 00417C33: FlushFileBuffers.KERNEL32(00000000), ref: 00417CFC
          • Part of subcall function 00417C33: CloseHandle.KERNEL32(00000000), ref: 00417D03
        • InternetCloseHandle.WININET(?), ref: 0041597F
        • GetCurrentThread.KERNEL32 ref: 004159E1
        • GetThreadPriority.KERNEL32(00000000,?,?,?), ref: 004159EA
        • SetThreadPriority.KERNEL32(00000000,00000002,?,?,?), ref: 004159F5
        • MoveFileExW.KERNEL32(?,?,00000003,?,?,?,?,?,?,?), ref: 00415A21
        • SetThreadPriority.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00415A5B
          • Part of subcall function 004157E0: CloseHandle.KERNEL32(004159B2,?), ref: 004157E6
          • Part of subcall function 004157E0: GetCurrentThread.KERNEL32 ref: 0041581A
          • Part of subcall function 004157E0: SetThreadPriority.KERNEL32(00000000), ref: 00415821
          • Part of subcall function 0041B964: SetFileAttributesW.KERNEL32(0041D6D7,00000020,0041D6D7,?), ref: 0041B96A
          • Part of subcall function 0041B964: DeleteFileW.KERNEL32(?), ref: 0041B974
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Thread$Priority$CloseHandle$AttributesCreateCurrentInternet$BuffersCombineDeleteDirectoryFlushHttpInfoMoveObjectPathQueryReadSingleWaitWrite
        • String ID: `)~
        • API String ID: 2513461391-1148047842
        • Opcode ID: 75faf48cb7bb47fef003a4b4023a73f680dc3fa67a0f4b599069422f0e80fda7
        • Instruction ID: 0e683fd433880a0443bf9a885e45184808edc4acc824f0032d634c20ed0e0b3d
        • Opcode Fuzzy Hash: 75faf48cb7bb47fef003a4b4023a73f680dc3fa67a0f4b599069422f0e80fda7
        • Instruction Fuzzy Hash: B551D4B1554608FEDF11BBA1EC82EEE7B39EF40358F14007BF504611A2DB3A9AD58A58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403664 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186threadnetworkCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004099B0: PathCombineW.SHLWAPI(?,?,007E2960), ref: 004099D5
          • Part of subcall function 004099B0: CreateDirectoryW.KERNEL32(?,00000000), ref: 004099E4
          • Part of subcall function 004099B0: SetFileAttributesW.KERNEL32(?,00000006), ref: 004099F3
          • Part of subcall function 00405941: HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 00405969
          • Part of subcall function 00405941: CreateFileW.KERNEL32(000000C8,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00405996
          • Part of subcall function 00405941: WaitForSingleObject.KERNEL32(00403684,00000000), ref: 004059AE
          • Part of subcall function 00405941: InternetReadFile.WININET(00000004,?,00000400,00000004), ref: 004059CB
          • Part of subcall function 00405941: WriteFile.KERNEL32(00000000,?,00000004,00403684,00000000), ref: 004059EE
          • Part of subcall function 00405941: FlushFileBuffers.KERNEL32(00000000), ref: 00405A0A
          • Part of subcall function 00405941: CloseHandle.KERNEL32(00000000), ref: 00405A11
        • InternetCloseHandle.WININET(?), ref: 0040368D
        • GetCurrentThread.KERNEL32 ref: 004036EF
        • GetThreadPriority.KERNEL32(00000000,?,?,?), ref: 004036F8
        • SetThreadPriority.KERNEL32(00000000,00000002,?,?,?), ref: 00403703
        • MoveFileExW.KERNEL32(?,?,00000003,?,?,?,?,?,?,?), ref: 0040372F
        • SetThreadPriority.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00403769
          • Part of subcall function 004034EE: CloseHandle.KERNEL32(004036C0,?), ref: 004034F4
          • Part of subcall function 004034EE: GetCurrentThread.KERNEL32 ref: 00403528
          • Part of subcall function 004034EE: SetThreadPriority.KERNEL32(00000000), ref: 0040352F
          • Part of subcall function 00409672: SetFileAttributesW.KERNELBASE(0040B3E5,00000020,0040B3E5,?), ref: 00409678
          • Part of subcall function 00409672: DeleteFileW.KERNELBASE(?), ref: 00409682
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Thread$Priority$CloseHandle$AttributesCreateCurrentInternet$BuffersCombineDeleteDirectoryFlushHttpInfoMoveObjectPathQueryReadSingleWaitWrite
        • String ID: `)~
        • API String ID: 2513461391-1148047842
        • Opcode ID: 92d92d1c5dd582360cc24764e37c92161f70e755c360cc53961c73400e98bf02
        • Instruction ID: 84a1114c6b21ae264b21dbed1b865f8ce2d2058c3d40b6df4b43fa39bbccb101
        • Opcode Fuzzy Hash: 92d92d1c5dd582360cc24764e37c92161f70e755c360cc53961c73400e98bf02
        • Instruction Fuzzy Hash: 2351B5725042087EDF21BFA1DD45EAE7F6CAF00319F1444BBF401B55E3DA3A9E988A58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B808 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 158stringCOMMON
        Download Yara Rule
        APIs
        • MoveFileExW.KERNEL32(?,?,00000003), ref: 0040B873
        • SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B8A9
        • lstrlen.KERNEL32 ref: 0040B8E3
        • lstrlen.KERNEL32(?), ref: 0040B923
          • Part of subcall function 0040968E: CreateMutexW.KERNEL32(0040FE78,00000000,?,?,00403438,?,?,?,004036A4,?,00000001), ref: 0040969A
          • Part of subcall function 0040968E: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00403438,?,?,?,004036A4,?,00000001), ref: 004096A5
          • Part of subcall function 0040968E: CloseHandle.KERNEL32(00000000,?,00403438,?,?,?,004036A4,?,00000001), ref: 004096B7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Filelstrlen$AttributesCloseCreateHandleMoveMutexObjectSingleWait
        • String ID: &i=$LLAH$`)~
        • API String ID: 2231744441-540211354
        • Opcode ID: 78744ec87957ecccf6613a70105da419dfaf71ff94d76bff45bc0c207c0e7bea
        • Instruction ID: 3ff9b6bc603d975bfcdfc87de34d8c82305a1e5d9b43327f282af960c75fb374
        • Opcode Fuzzy Hash: 78744ec87957ecccf6613a70105da419dfaf71ff94d76bff45bc0c207c0e7bea
        • Instruction Fuzzy Hash: AF51D4B2540204AFD721EF68CD85FAB77E9EF15304F04443EF585AB2A2D739A8448B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041DAFA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 158stringCOMMON
        Download Yara Rule
        APIs
        • MoveFileExW.KERNEL32(?,?,00000003), ref: 0041DB65
        • SetFileAttributesW.KERNEL32(?,00000080), ref: 0041DB9B
        • lstrlen.KERNEL32 ref: 0041DBD5
        • lstrlen.KERNEL32(?), ref: 0041DC15
          • Part of subcall function 0041B980: CreateMutexW.KERNEL32(0040FE78,00000000,?,?,0041572A,?,?,?,00415996,?,00000001), ref: 0041B98C
          • Part of subcall function 0041B980: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0041572A,?,?,?,00415996,?,00000001), ref: 0041B997
          • Part of subcall function 0041B980: CloseHandle.KERNEL32(00000000,?,0041572A,?,?,?,00415996,?,00000001), ref: 0041B9A9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Filelstrlen$AttributesCloseCreateHandleMoveMutexObjectSingleWait
        • String ID: &i=$LLAH$`)~
        • API String ID: 2231744441-540211354
        • Opcode ID: 5af9cf06b64d64c6566055ade6f74b9e8c5f66376941a31befcaa9e0c06a57ae
        • Instruction ID: 9406a1ddf29348025fb6b1f5db11847a94715ca86180bc0872f17de2a288c81e
        • Opcode Fuzzy Hash: 5af9cf06b64d64c6566055ade6f74b9e8c5f66376941a31befcaa9e0c06a57ae
        • Instruction Fuzzy Hash: 7751F5B2540204AFC721EF68CC81EEB77E9EF18304F05082AF59597252E779B884CB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403429 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70threadfileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0040968E: CreateMutexW.KERNEL32(0040FE78,00000000,?,?,00403438,?,?,?,004036A4,?,00000001), ref: 0040969A
          • Part of subcall function 0040968E: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00403438,?,?,?,004036A4,?,00000001), ref: 004096A5
          • Part of subcall function 0040968E: CloseHandle.KERNEL32(00000000,?,00403438,?,?,?,004036A4,?,00000001), ref: 004096B7
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,004036A4,?,00000001), ref: 00403477
        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,004036A4,?,00000001), ref: 004034AC
        • CloseHandle.KERNEL32(?,?,?,004036A4,?,00000001), ref: 004034BD
        • GetCurrentThread.KERNEL32 ref: 004034C6
        • GetThreadPriority.KERNEL32(00000000,?,?,?,004036A4,?,00000001), ref: 004034CF
        • SetThreadPriority.KERNEL32(00000000,00000002,?,?,?,004036A4,?,00000001), ref: 004034DD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Thread$CloseCreateFileHandlePriority$CurrentMutexObjectSingleSizeWait
        • String ID: `)~
        • API String ID: 2396115053-1148047842
        • Opcode ID: 9496135ac25ee1ad685c3d915968504f747c2ecc858d8c50b859e20cf7dce1a3
        • Instruction ID: 6f535514af11f1174a92b700b4711cbdf656cd7addc231df1e9a3415ea5ba376
        • Opcode Fuzzy Hash: 9496135ac25ee1ad685c3d915968504f747c2ecc858d8c50b859e20cf7dce1a3
        • Instruction Fuzzy Hash: 1311D331412520BBC6329F66EE4CD5B3E6CEF46762B100136F405FA9B2C6394905CBE9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041571B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70threadfileCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B980: CreateMutexW.KERNEL32(0040FE78,00000000,?,?,0041572A,?,?,?,00415996,?,00000001), ref: 0041B98C
          • Part of subcall function 0041B980: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0041572A,?,?,?,00415996,?,00000001), ref: 0041B997
          • Part of subcall function 0041B980: CloseHandle.KERNEL32(00000000,?,0041572A,?,?,?,00415996,?,00000001), ref: 0041B9A9
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,00415996,?,00000001), ref: 00415769
        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00415996,?,00000001), ref: 0041579E
        • CloseHandle.KERNEL32(?,?,?,00415996,?,00000001), ref: 004157AF
        • GetCurrentThread.KERNEL32 ref: 004157B8
        • GetThreadPriority.KERNEL32(00000000,?,?,?,00415996,?,00000001), ref: 004157C1
        • SetThreadPriority.KERNEL32(00000000,00000002,?,?,?,00415996,?,00000001), ref: 004157CF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Thread$CloseCreateFileHandlePriority$CurrentMutexObjectSingleSizeWait
        • String ID: `)~
        • API String ID: 2396115053-1148047842
        • Opcode ID: 9913d0a1979ec589fca093d2450ec435c6dc10ff2f44d6f26567154a366d6a4f
        • Instruction ID: 9905d1dc241eba8c3806ebe178688f0aca989eabdff1ca0db01bf4e0693f609b
        • Opcode Fuzzy Hash: 9913d0a1979ec589fca093d2450ec435c6dc10ff2f44d6f26567154a366d6a4f
        • Instruction Fuzzy Hash: 6811DC31102520FFC6315F66EE4EDCB3E68EF46361B100036F415A69B1D2784895CBE8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AE7A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61stringtimeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00409800: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,004099C5,?), ref: 00409821
        • PathCombineW.SHLWAPI(?,007E2960,?), ref: 0040AEA3
        • PathCombineW.SHLWAPI(004100B0,004100B0,?), ref: 0040AEB2
        • GetModuleFileNameA.KERNEL32(00000000,0040FE90,00000103), ref: 0040AECB
        • GetTimeZoneInformation.KERNEL32(?), ref: 0040AEDA
        • GetVersionExW.KERNEL32(0040FF98), ref: 0040AF1C
        • lstrlenW.KERNEL32(0040FFAC), ref: 0040AF27
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$Combine$FileFolderInformationModuleNameSpecialTimeVersionZonelstrlen
        • String ID: `)~
        • API String ID: 1803189752-1148047842
        • Opcode ID: 25f5245fe4c74efc4a851f4d755724719012d2ffcac0cc0ccf9bb547bc37aa7b
        • Instruction ID: 6609e566eb719137b9f9323dd9ce6f5350ed35f1ab545466b9a8513ecd23c582
        • Opcode Fuzzy Hash: 25f5245fe4c74efc4a851f4d755724719012d2ffcac0cc0ccf9bb547bc37aa7b
        • Instruction Fuzzy Hash: BA21A135108246DED720EBB4EE0ABD93B64EB06708F144036F805F29A1D7789549CB6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409C12 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadsleepCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThread.KERNEL32 ref: 00409C15
        • SetThreadPriority.KERNEL32(00000000), ref: 00409C1C
        • SHDeleteKeyA.SHLWAPI(80000001,?), ref: 00409C2F
        • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00409C43
        • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00409C52
        • Sleep.KERNEL32(000003E8), ref: 00409C5D
          • Part of subcall function 004090F0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004032BB), ref: 00409146
          • Part of subcall function 004090F0: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 00409161
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0040917D
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 00409196
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 004091B0
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 004091C9
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 004091E6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$DeleteWrite$ReadThread$CreateCurrentHandleNamedPipePrioritySleepState
        • String ID: `)~
        • API String ID: 2160410962-1148047842
        • Opcode ID: 3e8a0f9a79c3ee550772d4ec913ed08596711e52e96872a22bc9a670c2e7f674
        • Instruction ID: ec9947d47470c6962dbd19a52fed758d86d5190c044bdd9214f35a7112e47179
        • Opcode Fuzzy Hash: 3e8a0f9a79c3ee550772d4ec913ed08596711e52e96872a22bc9a670c2e7f674
        • Instruction Fuzzy Hash: A3F03032110A00EFE7219BA4EE4DE593B79FB08301B010170FA01E6972C6769898DF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041BF04 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadsleepCOMMON
        Download Yara Rule
        APIs
        • GetCurrentThread.KERNEL32 ref: 0041BF07
        • SetThreadPriority.KERNEL32(00000000), ref: 0041BF0E
        • SHDeleteKeyA.SHLWAPI(80000001,?), ref: 0041BF21
        • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 0041BF35
        • SHDeleteKeyA.SHLWAPI(80000002,?), ref: 0041BF44
        • Sleep.KERNEL32(000003E8), ref: 0041BF4F
          • Part of subcall function 0041B3E2: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004155AD), ref: 0041B438
          • Part of subcall function 0041B3E2: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 0041B453
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B46F
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B488
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 0041B4A2
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 0041B4BB
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B4D8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$DeleteWrite$ReadThread$CreateCurrentHandleNamedPipePrioritySleepState
        • String ID: `)~
        • API String ID: 2160410962-1148047842
        • Opcode ID: 00f11f1a8e4966002b8634585801a1cb5ea61f14214002b945308a610060c0da
        • Instruction ID: ded5c829e740e5e2fa0118e4afb398525c53a57c2958b75c3700baa77f4e6eb5
        • Opcode Fuzzy Hash: 00f11f1a8e4966002b8634585801a1cb5ea61f14214002b945308a610060c0da
        • Instruction Fuzzy Hash: 9BF03032110A00EFE3219BA4EE4DE593B79FB08301B010170FE01E6971C67698988F98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00416AC5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110COMMON
        Download Yara Rule
        APIs
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 00416BED
          • Part of subcall function 00419474: LoadLibraryA.KERNEL32(?,?), ref: 0041948C
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004194A0
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004194B5
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004194CA
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004194DF
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004194F4
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 00419509
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 0041951E
          • Part of subcall function 00419474: LoadLibraryA.KERNEL32(?), ref: 0041957A
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 0041958E
          • Part of subcall function 00419474: LoadLibraryA.KERNEL32(?), ref: 004195B2
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004195C6
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004195DB
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 004195F0
          • Part of subcall function 00419474: GetProcAddress.KERNEL32(00000000,?), ref: 00419605
        • GetTickCount.KERNEL32 ref: 00416B34
        • GetCurrentProcessId.KERNEL32(00000000), ref: 00416B3B
        • wnsprintfW.SHLWAPI ref: 00416B5A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad$ByteCharCountCurrentMultiProcessTickWidewnsprintf
        • String ID: `)~$unknown
        • API String ID: 2485750521-4245423004
        • Opcode ID: 75cfedc442df4b95d8e8b696a4586716fe7ccb04c58e01054ed7b52e6b9cf427
        • Instruction ID: 18fd5968619a948b39d734bdce28081b019a1a26abce929c17cb7484b817472a
        • Opcode Fuzzy Hash: 75cfedc442df4b95d8e8b696a4586716fe7ccb04c58e01054ed7b52e6b9cf427
        • Instruction Fuzzy Hash: 9531C576501118ABDF30DB94DE84EEB77ACEB04350F064076F949E7151E638EE85CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004047D3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110COMMON
        Download Yara Rule
        APIs
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004048FB
          • Part of subcall function 00407182: LoadLibraryA.KERNEL32(?,?), ref: 0040719A
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004071AE
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004071C3
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004071D8
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004071ED
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 00407202
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 00407217
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 0040722C
          • Part of subcall function 00407182: LoadLibraryA.KERNEL32(?), ref: 00407288
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 0040729C
          • Part of subcall function 00407182: LoadLibraryA.KERNEL32(?), ref: 004072C0
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004072D4
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004072E9
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 004072FE
          • Part of subcall function 00407182: GetProcAddress.KERNEL32(00000000,?), ref: 00407313
        • GetTickCount.KERNEL32 ref: 00404842
        • GetCurrentProcessId.KERNEL32(00000000), ref: 00404849
        • wnsprintfW.SHLWAPI ref: 00404868
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressProc$LibraryLoad$ByteCharCountCurrentMultiProcessTickWidewnsprintf
        • String ID: `)~$unknown
        • API String ID: 2485750521-4245423004
        • Opcode ID: 75cfedc442df4b95d8e8b696a4586716fe7ccb04c58e01054ed7b52e6b9cf427
        • Instruction ID: 20401b48a59a1d9552065907461d0f4624847db6cd3f6aeb003d28b317f51ee0
        • Opcode Fuzzy Hash: 75cfedc442df4b95d8e8b696a4586716fe7ccb04c58e01054ed7b52e6b9cf427
        • Instruction Fuzzy Hash: 133187B6900114AFDB30DBA4DD84DAB77ACEB84354F044076FA45F75A1D7389E448B98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405941 Relevance: 10.6, APIs: 7, Instructions: 83filenetworksynchronizationCOMMON
        Download Yara Rule
        APIs
        • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 00405969
        • CreateFileW.KERNEL32(000000C8,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00405996
        • WaitForSingleObject.KERNEL32(00403684,00000000), ref: 004059AE
        • InternetReadFile.WININET(00000004,?,00000400,00000004), ref: 004059CB
        • WriteFile.KERNEL32(00000000,?,00000004,00403684,00000000), ref: 004059EE
        • FlushFileBuffers.KERNEL32(00000000), ref: 00405A0A
        • CloseHandle.KERNEL32(00000000), ref: 00405A11
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$BuffersCloseCreateFlushHandleHttpInfoInternetObjectQueryReadSingleWaitWrite
        • String ID:
        • API String ID: 1338745320-0
        • Opcode ID: ac96aa19767dfd14718d721d4b91846e7640c278030ba0b1d8bca8309bb807bf
        • Instruction ID: 4ef5643d5604387e32e01bb3e82b66e6f5d46f644ce501aea801e2c18d268568
        • Opcode Fuzzy Hash: ac96aa19767dfd14718d721d4b91846e7640c278030ba0b1d8bca8309bb807bf
        • Instruction Fuzzy Hash: CC214DB1940648BFEB21DBA4DC85FEF7B78EF04344F048176E502B6190D6358A498F68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406490 Relevance: 10.6, APIs: 7, Instructions: 77stringCOMMON
        Download Yara Rule
        APIs
        • IsBadHugeReadPtr.KERNEL32(0040F2C0,00000004), ref: 0040649A
        • IsBadHugeReadPtr.KERNEL32(00000080,00000008), ref: 004064C1
        • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004064DE
        • IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 004064F4
        • lstrcmpiA.KERNEL32(?,?), ref: 00406512
        • IsBadHugeReadPtr.KERNEL32(-00000014,00000014), ref: 00406522
        • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 00406533
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HugeRead$lstrcmpi
        • String ID:
        • API String ID: 1912838836-0
        • Opcode ID: af283ab5b4d3081d993d026825e3af4a0f9e4367152693bcddbab2ea171ca329
        • Instruction ID: 92b23dafab7c259a90b6039ca93f6839cdbc307b013bc26fadb410c313928067
        • Opcode Fuzzy Hash: af283ab5b4d3081d993d026825e3af4a0f9e4367152693bcddbab2ea171ca329
        • Instruction Fuzzy Hash: B021A1317412217BEB304F24BE0DB673398AF11B44F0A4036E947F62D5E778DC258698
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418782 Relevance: 10.6, APIs: 7, Instructions: 77stringCOMMON
        Download Yara Rule
        APIs
        • IsBadHugeReadPtr.KERNEL32(0040F2C0,00000004), ref: 0041878C
        • IsBadHugeReadPtr.KERNEL32(00000080,00000008), ref: 004187B3
        • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004187D0
        • IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 004187E6
        • lstrcmpiA.KERNEL32(?,?), ref: 00418804
        • IsBadHugeReadPtr.KERNEL32(-00000014,00000014), ref: 00418814
        • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 00418825
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HugeRead$lstrcmpi
        • String ID:
        • API String ID: 1912838836-0
        • Opcode ID: af283ab5b4d3081d993d026825e3af4a0f9e4367152693bcddbab2ea171ca329
        • Instruction ID: 42204b5bc7ad1bed72b201e12f4a406d43c7252ad582a6cdcc2a3050eb7529b6
        • Opcode Fuzzy Hash: af283ab5b4d3081d993d026825e3af4a0f9e4367152693bcddbab2ea171ca329
        • Instruction Fuzzy Hash: 0A21C3317412119BDB309B25AE4CBE77398AF11B41B58403EE965E62D2EB78CC85C69C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004170E1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49processstringCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004170FC
        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0041710C
        • lstrcmpiW.KERNEL32(?,007E2960), ref: 0041713C
        • Process32NextW.KERNEL32(00000000,0000022C), ref: 00417159
        • CloseHandle.KERNEL32(00000000), ref: 00417165
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
        • String ID: `)~
        • API String ID: 868014591-1148047842
        • Opcode ID: 0ccfea488853e9d7dc9dc11693c35662186fa7699c993cdff639c30b4eefb95f
        • Instruction ID: 12428db51b5919fa08f8ce1e0ac5c5066b808b5ff94006c7f309290c459963c4
        • Opcode Fuzzy Hash: 0ccfea488853e9d7dc9dc11693c35662186fa7699c993cdff639c30b4eefb95f
        • Instruction Fuzzy Hash: 5B018F31601124BBD7219BB1ED4DBFB77BCAB45B41F104076E802E2350D738C889DB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004182EB Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 31stringnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrcpy.KERNEL32(?,?), ref: 00418304
        • HttpQueryInfoA.WININET(?,0000FFFF,?,00000031,00000000), ref: 0041831C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HttpInfoQuerylstrcpy
        • String ID: 1$K$O$`)~
        • API String ID: 2741786233-915486001
        • Opcode ID: 8abc947a713484ce351dcc6a97375733238a3c05a09a22c21047a77de34176a3
        • Instruction ID: 63b56d671e4b7cf0d7a745146754b0ca9b4e45485eac4e1cbb7aab89a2a11806
        • Opcode Fuzzy Hash: 8abc947a713484ce351dcc6a97375733238a3c05a09a22c21047a77de34176a3
        • Instruction Fuzzy Hash: 91F0547090020DFADF20DBA0DA55ADE7BB8AB01784F040075FD00A7191C775998ADB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405FF9 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 31stringnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrcpy.KERNEL32(?,?), ref: 00406012
        • HttpQueryInfoA.WININET(?,0000FFFF,?,00000031,00000000), ref: 0040602A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HttpInfoQuerylstrcpy
        • String ID: 1$K$O$`)~
        • API String ID: 2741786233-915486001
        • Opcode ID: 8abc947a713484ce351dcc6a97375733238a3c05a09a22c21047a77de34176a3
        • Instruction ID: c63f96bc097caacc94423774563cda3818b86ea0deecb46b42d76ea85e98ebe4
        • Opcode Fuzzy Hash: 8abc947a713484ce351dcc6a97375733238a3c05a09a22c21047a77de34176a3
        • Instruction Fuzzy Hash: 84F054F0A40209FADF30DBA0D945ADE7BBDAB01348F000071F501B6195C7B8995ADB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408C69 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 131COMMON
        Download Yara Rule
        APIs
        • StrCmpNIA.SHLWAPI(00000002,script,00000006), ref: 00408CE1
        • StrCmpNIA.SHLWAPI(00000001,script,00000006), ref: 00408D04
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID:
        • String ID: nbsp;$script
        • API String ID: 0-298180595
        • Opcode ID: a4c6f304a26993cb3a54aea77b0d4bc589e9b6c302a9b68f195a4ce5175c560c
        • Instruction ID: 67aa8e12461774402ee6ecfac628b9ec79fdb9fa43df11c4b22f9f241901dff0
        • Opcode Fuzzy Hash: a4c6f304a26993cb3a54aea77b0d4bc589e9b6c302a9b68f195a4ce5175c560c
        • Instruction Fuzzy Hash: 20410634904289BEDF214FA98A947AE7F716F35300F4442BFC4C1763C6CA3C99468719
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041AF5B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 131COMMON
        Download Yara Rule
        APIs
        • StrCmpNIA.SHLWAPI(00000002,script,00000006), ref: 0041AFD3
        • StrCmpNIA.SHLWAPI(00000001,script,00000006), ref: 0041AFF6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID:
        • String ID: nbsp;$script
        • API String ID: 0-298180595
        • Opcode ID: a4c6f304a26993cb3a54aea77b0d4bc589e9b6c302a9b68f195a4ce5175c560c
        • Instruction ID: 9166307a70bca4cf8536b3f98fb6ba50839cbca17a562ee597d5a0eb225ced8a
        • Opcode Fuzzy Hash: a4c6f304a26993cb3a54aea77b0d4bc589e9b6c302a9b68f195a4ce5175c560c
        • Instruction Fuzzy Hash: D341B5349046886BDF318F6989847EF7F75EB19304F44409BD4A1A6352C33D5AC6879E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041BA0C Relevance: 9.1, APIs: 6, Instructions: 76fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,?,00000001,00000000,?,00000000,00000000,00000000,00000000,?,?,?,0041D766,?,?,00000003), ref: 0041BA32
        • GetFileSizeEx.KERNEL32(00000000,00000000,?,?,?,0041D766,?,?,00000003,00000000,00000000,?), ref: 0041BA48
        • CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0041D766,?,?,00000003,00000000,00000000,?), ref: 0041BA7E
        • MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,0041D766,?,?,00000003,00000000,00000000,?), ref: 0041BA9E
        • CloseHandle.KERNEL32(?,?,?,?,0041D766,?,?,00000003,00000000,00000000,?), ref: 0041BAAD
        • CloseHandle.KERNEL32(?,?,?,?,0041D766,?,?,00000003,00000000,00000000,?), ref: 0041BAB6
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$CloseCreateHandle$MappingSizeView
        • String ID:
        • API String ID: 2246244431-0
        • Opcode ID: e5b80566f35add2eb6d42d87667edb95ee45a6a992764aa9db3c097bc447bb59
        • Instruction ID: f64447c0bc9552a2845ff8122a5fa1c06479811ff1ffa8045d961a820bb4f704
        • Opcode Fuzzy Hash: e5b80566f35add2eb6d42d87667edb95ee45a6a992764aa9db3c097bc447bb59
        • Instruction Fuzzy Hash: 7C2184B1400205BFDB204FA4ED88EABBBECEF04344B10893DF466D2560D335DD949B64
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040971A Relevance: 9.1, APIs: 6, Instructions: 76fileCOMMON
        Download Yara Rule
        APIs
        • CreateFileW.KERNEL32(00000000,?,00000001,00000000,?,00000000,00000000,00000000,00000000,?,?,?,0040B474,?,?,00000003), ref: 00409740
        • GetFileSizeEx.KERNEL32(00000000,00000000,?,?,?,0040B474,?,?,00000003,00000000,00000000,?), ref: 00409756
        • CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,0040B474,?,?,00000003,00000000,00000000,?), ref: 0040978C
        • MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,0040B474,?,?,00000003,00000000,00000000,?), ref: 004097AC
        • CloseHandle.KERNEL32(?,?,?,?,0040B474,?,?,00000003,00000000,00000000,?), ref: 004097BB
        • CloseHandle.KERNEL32(?,?,?,?,0040B474,?,?,00000003,00000000,00000000,?), ref: 004097C4
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$CloseCreateHandle$MappingSizeView
        • String ID:
        • API String ID: 2246244431-0
        • Opcode ID: e5b80566f35add2eb6d42d87667edb95ee45a6a992764aa9db3c097bc447bb59
        • Instruction ID: f5f817f11ce82f776a0c0da428eb63994cc0d8510abea348596fd831cc653a52
        • Opcode Fuzzy Hash: e5b80566f35add2eb6d42d87667edb95ee45a6a992764aa9db3c097bc447bb59
        • Instruction Fuzzy Hash: 4D218EB2020205FFDB204FA4ED88DABBBACEF04344B54893EF456E25A1E335DD549B24
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040C897 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 181stringnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0040C8FE
        • lstrlen.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0040C97E
        • lstrlen.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0040C9C1
        • HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0040CA53
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen$HeadersHttpRequest
        • String ID: `)~
        • API String ID: 1739361653-1148047842
        • Opcode ID: ed7368fafb18be3ce7691475b2d0d5de730f24e72750a7b7e687ffbb1d3ac7a5
        • Instruction ID: ccf8ea2e4b7ec59d4e69489057cf0dae0d50ac8f9c200b95f6cb706cfe8cec98
        • Opcode Fuzzy Hash: ed7368fafb18be3ce7691475b2d0d5de730f24e72750a7b7e687ffbb1d3ac7a5
        • Instruction Fuzzy Hash: 8051E8B2908209BFEF20ABB49C81BAF7BA8EF05314F14427FF554B22D1DB3959444A5D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041EB89 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 181stringnetworkCOMMON
        Download Yara Rule
        APIs
        • lstrlen.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 0041EBF0
        • lstrlen.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0041EC70
        • lstrlen.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 0041ECB3
        • HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0041ED45
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen$HeadersHttpRequest
        • String ID: `)~
        • API String ID: 1739361653-1148047842
        • Opcode ID: c409848dce56f3558158ca05d0af2cc48bd87b481140e5613a691ea51c137092
        • Instruction ID: 8a9321803111d1f85ae10c589344594c30b4097e031b7d2f2d4d7a6dc806da27
        • Opcode Fuzzy Hash: c409848dce56f3558158ca05d0af2cc48bd87b481140e5613a691ea51c137092
        • Instruction Fuzzy Hash: A2513AB69096057EEF206B71AC41BEFBBB9EF05318F10015FFA10A2292E7395DD0865D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00419098 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112sleepstringCOMMON
        Download Yara Rule
        APIs
        • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 004190D3
          • Part of subcall function 0041B14F: HeapFree.KERNEL32(00000000,00000000,0041550A,00000001), ref: 0041B162
        • lstrlenW.KERNEL32(?), ref: 004190F8
        • Sleep.KERNEL32(000003E8), ref: 00419133
        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000004,?), ref: 004191A0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ByteCharEnvironmentExpandFreeHeapMultiSleepStringsWidelstrlen
        • String ID: C
        • API String ID: 1587851778-1037565863
        • Opcode ID: 09d98240a7c16866b33f13cdd49a28726e57ab716be1cb1a3bfc5fee99339343
        • Instruction ID: a348dfda10373e52f1d234c69aeb2357173e954fa798e42130f5e2571bab1d16
        • Opcode Fuzzy Hash: 09d98240a7c16866b33f13cdd49a28726e57ab716be1cb1a3bfc5fee99339343
        • Instruction Fuzzy Hash: 0F310872800209BEDB21AFA4DC499DB3BBCEF05354F148067F90593162E7788DC9C799
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406DA6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112sleepstringCOMMON
        Download Yara Rule
        APIs
        • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104), ref: 00406DE1
          • Part of subcall function 00408E5D: RtlFreeHeap.NTDLL(00000000,00000000,00403218,00000001), ref: 00408E70
        • lstrlenW.KERNEL32(?), ref: 00406E06
        • Sleep.KERNEL32(000003E8), ref: 00406E41
        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000004,?), ref: 00406EAE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ByteCharEnvironmentExpandFreeHeapMultiSleepStringsWidelstrlen
        • String ID: C
        • API String ID: 1587851778-1037565863
        • Opcode ID: f90a010553a2779cf07a6d4a401c91871a3590bcf5362dd9779e7840c5d04b00
        • Instruction ID: ac7d3eee21ab92e437c8a5024cf294cb3657f8790051675be9f9a1b98d800940
        • Opcode Fuzzy Hash: f90a010553a2779cf07a6d4a401c91871a3590bcf5362dd9779e7840c5d04b00
        • Instruction Fuzzy Hash: D9310E76400308AADB10AFA4DD49DDB37BCEF05314F14807BF406A31D2D77889A987D5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53threadinjectionCOMMON
        Download Yara Rule
        APIs
        • OpenProcess.KERNEL32(001F0FFF,00000000,?,00405464,00000000,?,?,00417522,-0000A820,00000000,00000000,007E2960), ref: 00418D44
        • CreateRemoteThread.KERNEL32(`)~,00000000,00000000,00000000,00000000,00000000,?), ref: 00418D7B
        • CloseHandle.KERNEL32(00000000), ref: 00418D82
        • CloseHandle.KERNEL32(`)~), ref: 00418D8E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseHandle$CreateOpenProcessRemoteThread
        • String ID: `)~
        • API String ID: 1456911461-1148047842
        • Opcode ID: 8ff0ad9365fc154744a09313b643cbb3d51600d0e855dcbeec24623bbd50b0f7
        • Instruction ID: 361e6a90852ebbf3f4dbe3aff1de3bd9ce2330eb9d16cc6544a49f53b08c7d94
        • Opcode Fuzzy Hash: 8ff0ad9365fc154744a09313b643cbb3d51600d0e855dcbeec24623bbd50b0f7
        • Instruction Fuzzy Hash: FF01D272800318BFDF209FA4ECC59EE376DEF15354B04803EF906A2240D6399D898B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B49C Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: &i=$&p=$&s=
        • API String ID: 1659193697-990546340
        • Opcode ID: 55ccfe21b04cf47f912c1e2265afb7c8a2de4f3457ad11f6c2d036fe677849f3
        • Instruction ID: 9efd5233bc7076195045237d2b56087303921e7eb2ee40dd6a1cdb0c1d7d25b4
        • Opcode Fuzzy Hash: 55ccfe21b04cf47f912c1e2265afb7c8a2de4f3457ad11f6c2d036fe677849f3
        • Instruction Fuzzy Hash: A851B471500304AFCB11EFA4CD46E9F7BA8EF05304F10487AF544FB292D7799A448BA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041D78E Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrlen
        • String ID: &i=$&p=$&s=
        • API String ID: 1659193697-990546340
        • Opcode ID: 23a442276ac2617f24a6366a48a5d7256c608a681e7668c6529ba2c8f14e0edf
        • Instruction ID: ff4ab32e381803c445633c1c6dcb15601122941104c0e1912625ef3e545fda0c
        • Opcode Fuzzy Hash: 23a442276ac2617f24a6366a48a5d7256c608a681e7668c6529ba2c8f14e0edf
        • Instruction Fuzzy Hash: 2D51D4B5900209BFCB10EFA4CD82EDF7BB9EF05344F10406AF545A7252D739AA95CBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041662C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 134stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrcmpilstrlen
        • String ID: <$@$`)~
        • API String ID: 3649823140-2719825832
        • Opcode ID: 8783a6d06e248123be63d12ac02cce5ef9d005318e5435f6e425c60afbcb4cf0
        • Instruction ID: a000085f5a9f64853f81bf04909989b1c7c81556f3612dad896ded7579ef13e1
        • Opcode Fuzzy Hash: 8783a6d06e248123be63d12ac02cce5ef9d005318e5435f6e425c60afbcb4cf0
        • Instruction Fuzzy Hash: D741B1721002199BDF218F58CD44AEA7BB5FF08758F12012BFD54922A0D739C8D5DF48
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040433A Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 134stringCOMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: lstrcmpilstrlen
        • String ID: <$@$`)~
        • API String ID: 3649823140-2719825832
        • Opcode ID: 8783a6d06e248123be63d12ac02cce5ef9d005318e5435f6e425c60afbcb4cf0
        • Instruction ID: 66f03bc67f2c44db7353fa9000102846843d4d5fd5f5d2d2da894491804ff10b
        • Opcode Fuzzy Hash: 8783a6d06e248123be63d12ac02cce5ef9d005318e5435f6e425c60afbcb4cf0
        • Instruction Fuzzy Hash: C2418DB1500209EBDF218F54CC84BAA7BA4FF88354F14017AFF44A2290D77AD8A5DB89
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041883D Relevance: 7.6, APIs: 5, Instructions: 103COMMON
        Download Yara Rule
        APIs
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 00418867
        • VirtualProtectEx.KERNEL32(?,00000004,00000040,00000000,?,00000000,?,?,00418AA4,0040F2C0,00000000,?,00000002,?,?,00000000), ref: 004188BD
        • VirtualProtectEx.KERNEL32(?,00000004,00000000,00000000,00418DE8,?,0040F2C0), ref: 004188EC
        • IsBadHugeReadPtr.KERNEL32(-00000004,00000004), ref: 004188FC
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 0041890F
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HugeRead$ProtectVirtual
        • String ID:
        • API String ID: 448013376-0
        • Opcode ID: 1d3db6727c4364ad016bfb416f03958e87f4f7feb1fc6f1ba3a5046e428a2e3c
        • Instruction ID: 3b3edc871396ea79312a46f6023a286a5755d9b103f8d1f86795924dceae0558
        • Opcode Fuzzy Hash: 1d3db6727c4364ad016bfb416f03958e87f4f7feb1fc6f1ba3a5046e428a2e3c
        • Instruction Fuzzy Hash: DB31B2B1600206ABEF20DF24DE45FFB37A8AB01358F10017EFA15A61A1DB78DD85C75A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040654B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
        Download Yara Rule
        APIs
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 00406575
        • VirtualProtectEx.KERNEL32(?,00000004,00000040,00000000,?,00000000,?,?,004067B2,0040F2C0,00000000,?,00000002,?,?,00000000), ref: 004065CB
        • VirtualProtectEx.KERNEL32(?,00000004,00000000,00000000,00406AF6,?,0040F2C0), ref: 004065FA
        • IsBadHugeReadPtr.KERNEL32(-00000004,00000004), ref: 0040660A
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 0040661D
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: HugeRead$ProtectVirtual
        • String ID:
        • API String ID: 448013376-0
        • Opcode ID: 1d3db6727c4364ad016bfb416f03958e87f4f7feb1fc6f1ba3a5046e428a2e3c
        • Instruction ID: 08a89ed80aea7e527d34867ac77fc4d2bc7af7d4e837bab127cf775790b61b52
        • Opcode Fuzzy Hash: 1d3db6727c4364ad016bfb416f03958e87f4f7feb1fc6f1ba3a5046e428a2e3c
        • Instruction Fuzzy Hash: 32319070600206EBEF20CF10DE45BAB37A8AB11354F15047AFA02F61E1D779D925CB59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041BF6F Relevance: 7.6, APIs: 5, Instructions: 62COMMON
        Download Yara Rule
        APIs
        • OpenProcessToken.ADVAPI32(?,00000008,?,00000000), ref: 0041BF84
        • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 0041BF9D
          • Part of subcall function 0041B131: RtlAllocateHeap.NTDLL(00000008,?,0041552E), ref: 0041B145
        • GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0041BFBF
        • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000000,?,00000000,?), ref: 0041BFE9
        • CloseHandle.KERNEL32(?), ref: 0041BFFF
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Token$Information$AccountAllocateCloseHandleHeapLookupOpenProcess
        • String ID:
        • API String ID: 3167538814-0
        • Opcode ID: bfad9ea5445f8f7004f5b1a5e25f5e8ac9ed71555fb46d73edb768e290cf2b11
        • Instruction ID: 1c5f98180eb39869bb4fabc0af09c9596afd3565865e3191052329e9db5ceec9
        • Opcode Fuzzy Hash: bfad9ea5445f8f7004f5b1a5e25f5e8ac9ed71555fb46d73edb768e290cf2b11
        • Instruction Fuzzy Hash: CA11E676900108BEDB21AFA1DD89EDEBB7DEF04340F1040B6B901E2150D7759B999BA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A485 Relevance: 7.5, APIs: 5, Instructions: 34synchronizationCOMMON
        Download Yara Rule
        APIs
        • SetEvent.KERNEL32(8B55C3C9,00000000,00000000,004084BC,?,00000000), ref: 0040A494
          • Part of subcall function 004090F0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004032BB), ref: 00409146
          • Part of subcall function 004090F0: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 00409161
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0040917D
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 00409196
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 004091B0
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 004091C9
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 004091E6
        • WaitForSingleObject.KERNEL32(835151EC,000000FF), ref: 0040A4B0
        • CloseHandle.KERNEL32(004084BC), ref: 0040A4B8
        • CloseHandle.KERNEL32(8B55C3C9), ref: 0040A4C1
        • CloseHandle.KERNEL32(835151EC), ref: 0040A4CA
          • Part of subcall function 00408E5D: RtlFreeHeap.NTDLL(00000000,00000000,00403218,00000001), ref: 00408E70
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Handle$CloseWrite$Read$CreateEventFreeHeapNamedObjectPipeSingleStateWait
        • String ID:
        • API String ID: 998100866-0
        • Opcode ID: 91e1cb02854cfa23ae641d6315fc1331f5aceebd2612f36d1fd3cadffc9a7b83
        • Instruction ID: 05f75622fb2ccfcaf7de0e263bbd32b86a1883045609672101c26cefca8f3ba6
        • Opcode Fuzzy Hash: 91e1cb02854cfa23ae641d6315fc1331f5aceebd2612f36d1fd3cadffc9a7b83
        • Instruction Fuzzy Hash: 77F0FE32014A10AFDB312F65ED09C4A7BB1FF85725310893EF1B6B18B1DB3658559B98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041C777 Relevance: 7.5, APIs: 5, Instructions: 34synchronizationCOMMON
        Download Yara Rule
        APIs
        • SetEvent.KERNEL32(8B55C3C9,00000000,00000000,0041A7AE,?,00000000), ref: 0041C786
          • Part of subcall function 0041B3E2: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004155AD), ref: 0041B438
          • Part of subcall function 0041B3E2: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 0041B453
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B46F
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B488
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 0041B4A2
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 0041B4BB
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B4D8
        • WaitForSingleObject.KERNEL32(835151EC,000000FF), ref: 0041C7A2
        • CloseHandle.KERNEL32(0041A7AE), ref: 0041C7AA
        • CloseHandle.KERNEL32(8B55C3C9), ref: 0041C7B3
        • CloseHandle.KERNEL32(835151EC), ref: 0041C7BC
          • Part of subcall function 0041B14F: HeapFree.KERNEL32(00000000,00000000,0041550A,00000001), ref: 0041B162
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$Handle$CloseWrite$Read$CreateEventFreeHeapNamedObjectPipeSingleStateWait
        • String ID:
        • API String ID: 998100866-0
        • Opcode ID: 570b986de0e9183d20661d84143ee4529172d7397f2b8997cb6a56ad91b04caf
        • Instruction ID: 78d9fd9ae090183f4a01012cee002f36e7c3872230f353c21fbbc7b05c46e40c
        • Opcode Fuzzy Hash: 570b986de0e9183d20661d84143ee4529172d7397f2b8997cb6a56ad91b04caf
        • Instruction Fuzzy Hash: A3F08233014A00AFC7313F25ED09C4A7BB1FF84721710853AF1BAA0870DB3668559B88
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418139 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CountTick
        • String ID: `)~
        • API String ID: 536389180-1148047842
        • Opcode ID: 95c217210d69b7b14e3d34c3f0973556dc8c9eae926406303d0e55d4aa796324
        • Instruction ID: 04acef07ed3ae7d1aa009c22adcef129cec57323c4e8e428495315d29f749722
        • Opcode Fuzzy Hash: 95c217210d69b7b14e3d34c3f0973556dc8c9eae926406303d0e55d4aa796324
        • Instruction Fuzzy Hash: 8E51B0B2C0415CBFDF119FE4DC859EEBBBCAF08304F1440BAF944A2151D7399A959B68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405E47 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CountTick
        • String ID: `)~
        • API String ID: 536389180-1148047842
        • Opcode ID: 8e9fb944a4c107e70964d53c595cc156e767c720db75bd668d4dae54181b0350
        • Instruction ID: 85e00a4ba03d571406ea722704bab6faac440acacbc22d2d6e8147fde2892493
        • Opcode Fuzzy Hash: 8e9fb944a4c107e70964d53c595cc156e767c720db75bd668d4dae54181b0350
        • Instruction Fuzzy Hash: C3519EB2C0425DAEDB109FE49D85DEFBBBCEF08304F1440BAF954B2191D6398A548F68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041AA70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87sleepsynchronizationCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000007D0), ref: 0041AA7E
        • Sleep.KERNEL32(00001388), ref: 0041AAE7
        • WaitForSingleObject.KERNEL32(000927C0), ref: 0041AB5A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Sleep$ObjectSingleWait
        • String ID: 0
        • API String ID: 2386783858-4108050209
        • Opcode ID: 633e9bf4161a156489d64f88972416c6c287d866c69cd69765fdbe8e44259109
        • Instruction ID: 4465c8f7013cc60eab1bc0b53460c8744063a7dceaa6d25a2e966767f327395c
        • Opcode Fuzzy Hash: 633e9bf4161a156489d64f88972416c6c287d866c69cd69765fdbe8e44259109
        • Instruction Fuzzy Hash: E8310231A05148FFDB10DB94CE81EDE7B74EF00348F1440BAE505B3291D3789A89CB5A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040877E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87sleepsynchronizationCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNEL32(000007D0), ref: 0040878C
        • Sleep.KERNEL32(00001388), ref: 004087F5
        • WaitForSingleObject.KERNEL32(000927C0), ref: 00408868
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Sleep$ObjectSingleWait
        • String ID: 0
        • API String ID: 2386783858-4108050209
        • Opcode ID: 0228eb1e13876326b29b92d602f506d119d3b6ade2a19f15317ba4dd7b882ac6
        • Instruction ID: cd9416be0bb24b3bcbf8367ff97d3f62a2dc053c92f9f8302e014bb237b5386d
        • Opcode Fuzzy Hash: 0228eb1e13876326b29b92d602f506d119d3b6ade2a19f15317ba4dd7b882ac6
        • Instruction Fuzzy Hash: 9A310231A00205FFDB11DBA5CE45E9E7B74BB00318F2480BEE944B72D2DA389A09CB59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00416438 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BBC6: GetProcessTimes.KERNEL32(?,?,?,?,004164B8,?,?,?,?,004164B8,00000002,?), ref: 0041BBDF
          • Part of subcall function 0041BBC6: wnsprintfW.SHLWAPI ref: 0041BC01
        • CreateMutexW.KERNEL32(0040FE78,00000001,?), ref: 004164C9
          • Part of subcall function 0041C9A7: lstrlenW.KERNEL32(004164D6), ref: 0041C9F8
          • Part of subcall function 0041C9A7: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000002,00000000,004164D6,00000000), ref: 0041CAFC
          • Part of subcall function 0041C9A7: RegSetValueExW.ADVAPI32(004164D6,?,00000000,00000001,?,00000031), ref: 0041CB1E
          • Part of subcall function 0041C9A7: RegCloseKey.ADVAPI32(004164D6), ref: 0041CB27
          • Part of subcall function 0041D16C: PathCombineW.SHLWAPI(?,007E2960,?), ref: 0041D195
          • Part of subcall function 0041D16C: PathCombineW.SHLWAPI(004100B0,004100B0,?), ref: 0041D1A4
          • Part of subcall function 0041D16C: GetModuleFileNameA.KERNEL32(00000000,0040FE90,00000103), ref: 0041D1BD
          • Part of subcall function 0041D16C: GetTimeZoneInformation.KERNEL32(?), ref: 0041D1CC
          • Part of subcall function 0041D16C: GetVersionExW.KERNEL32(0040FF98), ref: 0041D20E
          • Part of subcall function 0041D16C: lstrlenW.KERNEL32(0040FFAC), ref: 0041D219
          • Part of subcall function 004156D3: PathCombineW.SHLWAPI(?,007E2960,?), ref: 004156FA
          • Part of subcall function 004156D3: PathCombineW.SHLWAPI(0040F5A8,0040F5A8,?), ref: 00415709
          • Part of subcall function 00420188: RtlInitializeCriticalSection.NTDLL(004102E0), ref: 0042019B
          • Part of subcall function 0041E1E4: RtlInitializeCriticalSection.NTDLL(004102C4), ref: 0041E1FF
          • Part of subcall function 00416A9E: RtlInitializeCriticalSection.NTDLL(0040F810), ref: 00416AA3
        • RtlInitializeCriticalSection.NTDLL(00000000), ref: 004164F6
          • Part of subcall function 00418D9E: CreateToolhelp32Snapshot.KERNEL32(00000008,0040F2C0), ref: 00418DBA
          • Part of subcall function 00418D9E: Module32FirstW.KERNEL32(00000000,00000428), ref: 00418DCF
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CombineCriticalInitializePathSection$Create$lstrlen$CloseFileFirstInformationModuleModule32MutexNameProcessSnapshotTimeTimesToolhelp32ValueVersionZonewnsprintf
        • String ID: GetProcAddress$LoadLibraryA
        • API String ID: 3107611727-190252919
        • Opcode ID: a4ada95deb07db8b39fdd4a9c11e65c8c4d6d04035aec45be0d2bc7a056d8435
        • Instruction ID: aeb8b65f21e0663fb332df39e274061fe4afd2d8b50ce64324d8b6c3d98ae17d
        • Opcode Fuzzy Hash: a4ada95deb07db8b39fdd4a9c11e65c8c4d6d04035aec45be0d2bc7a056d8435
        • Instruction Fuzzy Hash: 9611D571904200AFD720FBA5DD43ADD33A4AF41314F21417EF814B76E2DB78A9858B6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404146 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68synchronizationCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004098D4: GetProcessTimes.KERNEL32(?,?,?,?,004041C6,?,?,?,?,004041C6,00000002,?), ref: 004098ED
          • Part of subcall function 004098D4: wnsprintfW.SHLWAPI ref: 0040990F
        • CreateMutexW.KERNEL32(0040FE78,00000001,?), ref: 004041D7
          • Part of subcall function 0040A6B5: lstrlenW.KERNEL32(004041E4), ref: 0040A706
          • Part of subcall function 0040A6B5: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000002,00000000,A@1,00000000), ref: 0040A80A
          • Part of subcall function 0040A6B5: RegSetValueExW.ADVAPI32(A@1,?,00000000,00000001,?,00000031), ref: 0040A82C
          • Part of subcall function 0040A6B5: RegCloseKey.ADVAPI32(?), ref: 0040A835
          • Part of subcall function 0040AE7A: PathCombineW.SHLWAPI(?,007E2960,?), ref: 0040AEA3
          • Part of subcall function 0040AE7A: PathCombineW.SHLWAPI(004100B0,004100B0,?), ref: 0040AEB2
          • Part of subcall function 0040AE7A: GetModuleFileNameA.KERNEL32(00000000,0040FE90,00000103), ref: 0040AECB
          • Part of subcall function 0040AE7A: GetTimeZoneInformation.KERNEL32(?), ref: 0040AEDA
          • Part of subcall function 0040AE7A: GetVersionExW.KERNEL32(0040FF98), ref: 0040AF1C
          • Part of subcall function 0040AE7A: lstrlenW.KERNEL32(0040FFAC), ref: 0040AF27
          • Part of subcall function 004033E1: PathCombineW.SHLWAPI(?,007E2960,?), ref: 00403408
          • Part of subcall function 004033E1: PathCombineW.SHLWAPI(0040F5A8,0040F5A8,?), ref: 00403417
          • Part of subcall function 0040DE96: RtlInitializeCriticalSection.NTDLL(004102E0), ref: 0040DEA9
          • Part of subcall function 0040BEF2: RtlInitializeCriticalSection.NTDLL(004102C4), ref: 0040BF0D
          • Part of subcall function 004047AC: RtlInitializeCriticalSection.NTDLL(0040F810), ref: 004047B1
        • RtlInitializeCriticalSection.NTDLL(00000000), ref: 00404204
          • Part of subcall function 00406AAC: CreateToolhelp32Snapshot.KERNEL32(00000008,0040F2C0), ref: 00406AC8
          • Part of subcall function 00406AAC: Module32FirstW.KERNEL32(00000000,00000428), ref: 00406ADD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CombineCriticalInitializePathSection$Create$lstrlen$CloseFileFirstInformationModuleModule32MutexNameProcessSnapshotTimeTimesToolhelp32ValueVersionZonewnsprintf
        • String ID: GetProcAddress$LoadLibraryA
        • API String ID: 3107611727-190252919
        • Opcode ID: 345e0e9d930a885c13db9c3b4a1f4853b6e4c8340aa5fd0ec1c1215707aeeb80
        • Instruction ID: fbeb83b90b0e5b406ed45610bf25269e1bdaf4394449c593d6a2986ceddef088
        • Opcode Fuzzy Hash: 345e0e9d930a885c13db9c3b4a1f4853b6e4c8340aa5fd0ec1c1215707aeeb80
        • Instruction Fuzzy Hash: 9C11A171904200DBD720FBA6DD06A5C33A4AB81328F20417BF610BB6E2DB7959459B9E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004169F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(0040F810), ref: 00416A17
          • Part of subcall function 0041C654: RtlReAllocateHeap.NTDLL(00000008,?,?,0041D051), ref: 0041C66F
        • lstrlen.KERNEL32(?,?,00000000,0041FD68,?,?), ref: 00416A46
        • RtlLeaveCriticalSection.NTDLL(0040F810), ref: 00416A94
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalSection$AllocateEnterHeapLeavelstrlen
        • String ID: `)~
        • API String ID: 2235296073-1148047842
        • Opcode ID: 6f80d090fa556d7bc77ae8d0884ac0fa2f4014f8f8fe011f539ef531584695fa
        • Instruction ID: c8698b07147fb7ce8924a2160eb7466a52e5c89e8915f53a4966fe6ddebd6af2
        • Opcode Fuzzy Hash: 6f80d090fa556d7bc77ae8d0884ac0fa2f4014f8f8fe011f539ef531584695fa
        • Instruction Fuzzy Hash: 9B118272100240DFC761AF65ED48AA67BE8EF45345F15847AF884E2672C739A858CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404702 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50stringCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(0040F810), ref: 00404725
          • Part of subcall function 0040A362: RtlReAllocateHeap.NTDLL(00000008,?,?,0040AD5F), ref: 0040A37D
        • lstrlen.KERNEL32(?,?,00000000,0040DA76,?,?), ref: 00404754
        • RtlLeaveCriticalSection.NTDLL(0040F810), ref: 004047A2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CriticalSection$AllocateEnterHeapLeavelstrlen
        • String ID: `)~
        • API String ID: 2235296073-1148047842
        • Opcode ID: 6f80d090fa556d7bc77ae8d0884ac0fa2f4014f8f8fe011f539ef531584695fa
        • Instruction ID: 92f2d14241d2ae6e5cc6b5db5566ad16915f664155990703f832d0c78e6157ea
        • Opcode Fuzzy Hash: 6f80d090fa556d7bc77ae8d0884ac0fa2f4014f8f8fe011f539ef531584695fa
        • Instruction Fuzzy Hash: ED1165B6100240DFC761AF65DD48EA57BE8EF85305F04847AF981E76B2C7399818CB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00415D65 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00415D89
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?), ref: 00415DAD
        • RegCloseKey.ADVAPI32(?), ref: 00415DC4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateQueryValue
        • String ID: `)~
        • API String ID: 4083198587-1148047842
        • Opcode ID: 04857a0c96a0450f5815f82d1c99d2e4baacd67567df9acfaa40648d15b3c05f
        • Instruction ID: 268eca76f3d414ce074be8bb47d9c3684374a61eca618c4227d4198d4281f8db
        • Opcode Fuzzy Hash: 04857a0c96a0450f5815f82d1c99d2e4baacd67567df9acfaa40648d15b3c05f
        • Instruction Fuzzy Hash: 6201B6B6500208FFEB11DF94DD88EEE7BBDEB04348F1044B5FA05A2210D671AE549B24
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403A73 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00403A97
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?), ref: 00403ABB
        • RegCloseKey.ADVAPI32(?), ref: 00403AD2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateQueryValue
        • String ID: `)~
        • API String ID: 4083198587-1148047842
        • Opcode ID: a43ec8ae98d47a4dd035f9541a9ea029477c428b67a5e8b895d75a779ff7ab4e
        • Instruction ID: 55b5a6434565ae9cdc600a859463daa93aeb69e9af7c0b716eb2b17b7df1a3f6
        • Opcode Fuzzy Hash: a43ec8ae98d47a4dd035f9541a9ea029477c428b67a5e8b895d75a779ff7ab4e
        • Instruction Fuzzy Hash: 5801F6B6610108BFEB11DF90CD84EEE7BBDEB04348F0044B5F505A2250D271AE449F24
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00415DCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00415DF1
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00415E0A
        • RegCloseKey.ADVAPI32(?), ref: 00415E13
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: `)~
        • API String ID: 1818849710-1148047842
        • Opcode ID: 67a988c1989eaed13ee8df9ef3aa2efdd8ad91fcc8c433d1651a5445b6dceb98
        • Instruction ID: 83a6cd5971ffb2a54902a46e4ac674cd92a77634bb045fe798704da0c149686e
        • Opcode Fuzzy Hash: 67a988c1989eaed13ee8df9ef3aa2efdd8ad91fcc8c433d1651a5445b6dceb98
        • Instruction Fuzzy Hash: A2F0F2B2101128FADB209B92DD1AEDB7F7CEF097A0F000074BA09E5061D3B1AA14DBE4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00403ADD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
        Download Yara Rule
        APIs
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00403AFF
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00403B18
        • RegCloseKey.ADVAPI32(?), ref: 00403B21
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCreateValue
        • String ID: `)~
        • API String ID: 1818849710-1148047842
        • Opcode ID: 67a988c1989eaed13ee8df9ef3aa2efdd8ad91fcc8c433d1651a5445b6dceb98
        • Instruction ID: 7308ae3ce1c624e53ce751e96390a70dfaebecb74a0b64ce63782eb51ca1f5cb
        • Opcode Fuzzy Hash: 67a988c1989eaed13ee8df9ef3aa2efdd8ad91fcc8c433d1651a5445b6dceb98
        • Instruction Fuzzy Hash: 80F0F872101128FADB209B91DD1AEDB7F7CEF097A1F000074B609E5061D271AA14DBA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041BCA2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BAF2: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,0041BCB7,?), ref: 0041BB13
        • PathCombineW.SHLWAPI(?,?,007E2960), ref: 0041BCC7
        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0041BCD6
        • SetFileAttributesW.KERNEL32(?,00000006), ref: 0041BCE5
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$AttributesCombineCreateDirectoryFileFolderSpecial
        • String ID: `)~
        • API String ID: 1223427684-1148047842
        • Opcode ID: 444c3a4c6d90b3d70a8e77c4ccc2495eae8314ad678acc3d660aa32dc922a2c3
        • Instruction ID: 2f1d6abbea1d8a43dee35503765ed1cc34de330c14472e4ff4ceafb6935908a7
        • Opcode Fuzzy Hash: 444c3a4c6d90b3d70a8e77c4ccc2495eae8314ad678acc3d660aa32dc922a2c3
        • Instruction Fuzzy Hash: 3CE0ED719007199BDB60EBB4ED4DECA777CEB04205F0002B1B555E6061EE74A6888F54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004099B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00409800: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,004099C5,?), ref: 00409821
        • PathCombineW.SHLWAPI(?,?,007E2960), ref: 004099D5
        • CreateDirectoryW.KERNEL32(?,00000000), ref: 004099E4
        • SetFileAttributesW.KERNEL32(?,00000006), ref: 004099F3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$AttributesCombineCreateDirectoryFileFolderSpecial
        • String ID: `)~
        • API String ID: 1223427684-1148047842
        • Opcode ID: aab55ea9a1aff2aaa80faeab025ceed5202209128d1ba37f199fe08942531c9a
        • Instruction ID: 790d47e6ee0613eaf0d1098a06b595c74079d66920e551d32298dac63340461a
        • Opcode Fuzzy Hash: aab55ea9a1aff2aaa80faeab025ceed5202209128d1ba37f199fe08942531c9a
        • Instruction Fuzzy Hash: 82E0ED72900709ABDB60EBB4ED4DF8A777CAB04205F0002B1A555E6062EE74AA48CF54
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004034EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(004036C0,?), ref: 004034F4
          • Part of subcall function 004090F0: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004032BB), ref: 00409146
          • Part of subcall function 004090F0: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 00409161
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0040917D
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 00409196
          • Part of subcall function 004090F0: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 004091B0
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 004091C9
          • Part of subcall function 004090F0: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 004091E6
          • Part of subcall function 004096C5: ReleaseMutex.KERNEL32(00000000,004034A6,00000000,?,00000005,00000000,00000000,00000000,00000000,?,?,?,004036A4,?,00000001), ref: 004096C9
          • Part of subcall function 004096C5: CloseHandle.KERNEL32(?,?,?,?,004036A4,?,00000001), ref: 004096D3
        • GetCurrentThread.KERNEL32 ref: 00403528
        • SetThreadPriority.KERNEL32(00000000), ref: 0040352F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$HandleWrite$CloseReadThread$CreateCurrentMutexNamedPipePriorityReleaseState
        • String ID: `)~
        • API String ID: 523473858-1148047842
        • Opcode ID: 42cd2134430137ea6e4a45d7dc5d93288bcce46024a766a6aa3e7897d3e57971
        • Instruction ID: 6d5ab0ad82d78100ccfec2770f2854c0fe365bc412480f9fe674034582faba37
        • Opcode Fuzzy Hash: 42cd2134430137ea6e4a45d7dc5d93288bcce46024a766a6aa3e7897d3e57971
        • Instruction Fuzzy Hash: 91E0B6B1421100AFDB21AF65EF0DE263AB9FB047017440479B505F6873EA7658689FA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004157E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
        Download Yara Rule
        APIs
        • CloseHandle.KERNEL32(004159B2,?), ref: 004157E6
          • Part of subcall function 0041B3E2: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000010,00000000,004155AD), ref: 0041B438
          • Part of subcall function 0041B3E2: SetNamedPipeHandleState.KERNEL32(00000000,00000200,00000000,00000000), ref: 0041B453
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B46F
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B488
          • Part of subcall function 0041B3E2: WriteFile.KERNEL32(00000000,00000000,00401000,00000002,00000000), ref: 0041B4A2
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,000000FF,00000004,00000002,00000000), ref: 0041B4BB
          • Part of subcall function 0041B3E2: ReadFile.KERNEL32(00000000,00401000,00000004,00000002,00000000), ref: 0041B4D8
          • Part of subcall function 0041B9B7: ReleaseMutex.KERNEL32(00000000,00415798,00000000,?,00000005,00000000,00000000,00000000,00000000,?,?,?,00415996,?,00000001), ref: 0041B9BB
          • Part of subcall function 0041B9B7: CloseHandle.KERNEL32(?,?,?,?,00415996,?,00000001), ref: 0041B9C5
        • GetCurrentThread.KERNEL32 ref: 0041581A
        • SetThreadPriority.KERNEL32(00000000), ref: 00415821
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: File$HandleWrite$CloseReadThread$CreateCurrentMutexNamedPipePriorityReleaseState
        • String ID: `)~
        • API String ID: 523473858-1148047842
        • Opcode ID: 319c4d25ab77812d3f462327237e30215c1359fc676a0263a1022b7336f53208
        • Instruction ID: 841fa5ce256795fa2fd42a5ecdc61400cb740c95f46c5f55ef46f07722abf882
        • Opcode Fuzzy Hash: 319c4d25ab77812d3f462327237e30215c1359fc676a0263a1022b7336f53208
        • Instruction Fuzzy Hash: 57E0B6B1521100AFDB21AF75EF09D263AB9FF04702744007AF905E6832E67648689FA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041A12F Relevance: 6.1, APIs: 4, Instructions: 136sleepsynchronizationthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041B9CC: GetTickCount.KERNEL32 ref: 0041B9CC
        • Sleep.KERNEL32(00000028), ref: 0041A1A0
        • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0041A270
        • CloseHandle.KERNEL32(00000000), ref: 0041A28A
        • WaitForSingleObject.KERNEL32(00000064), ref: 0041A2A6
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCountCreateHandleObjectSingleSleepThreadTickWait
        • String ID:
        • API String ID: 2057152098-0
        • Opcode ID: e99c84c22e8f0818ab445fd372e432df9b0d2083a79bd296a1fecb326f9cf0d5
        • Instruction ID: 237c2ce89586f03e6842fcb250dfd1c3cfad5f3d62750707056fd85efa0eea30
        • Opcode Fuzzy Hash: e99c84c22e8f0818ab445fd372e432df9b0d2083a79bd296a1fecb326f9cf0d5
        • Instruction Fuzzy Hash: 4541EC725012189BDB208F24EC48AEA7BB8FF44314F20453AFD09A3690D3398999CF5A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407E3D Relevance: 6.1, APIs: 4, Instructions: 136sleepsynchronizationthreadCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 004096DA: GetTickCount.KERNEL32 ref: 004096DA
        • Sleep.KERNEL32(00000028), ref: 00407EAE
        • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00407F7E
        • CloseHandle.KERNEL32(00000000), ref: 00407F98
        • WaitForSingleObject.KERNEL32(00000064), ref: 00407FB4
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: CloseCountCreateHandleObjectSingleSleepThreadTickWait
        • String ID:
        • API String ID: 2057152098-0
        • Opcode ID: e99c84c22e8f0818ab445fd372e432df9b0d2083a79bd296a1fecb326f9cf0d5
        • Instruction ID: 39f8f62a427492a46d98af2b5aa228ef9ff3b5bdcac6d173630a44cd2c27b0df
        • Opcode Fuzzy Hash: e99c84c22e8f0818ab445fd372e432df9b0d2083a79bd296a1fecb326f9cf0d5
        • Instruction Fuzzy Hash: 6441A072908209DFDB209F25DD48AAA7BB9FF45304F20443AFD09B7691D339A909CF59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00416934 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
        Download Yara Rule
        APIs
        • GlobalFix.KERNEL32(00000000), ref: 00416964
        • lstrlen.KERNEL32(00000000), ref: 00416987
        • lstrlenW.KERNEL32(00000000), ref: 004169A3
        • GlobalUnWire.KERNEL32(?), ref: 004169E6
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Globallstrlen$Wire
        • String ID:
        • API String ID: 14301862-0
        • Opcode ID: 2a370b926aae0430d2956914b871820eda679bfe5e522a0be64f266e2ae6a9a3
        • Instruction ID: aca0bc33aa212a5d8f081ce76ca979f60e5f826aa624bda72d3616686dff6238
        • Opcode Fuzzy Hash: 2a370b926aae0430d2956914b871820eda679bfe5e522a0be64f266e2ae6a9a3
        • Instruction Fuzzy Hash: D911C472A113102BD21136299DC6DEF635C9F5671DB06403FFD05B2252DABEDC8485AE
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404642 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
        Download Yara Rule
        APIs
        • GlobalFix.KERNEL32(00000000), ref: 00404672
        • lstrlen.KERNEL32(00000000), ref: 00404695
        • lstrlenW.KERNEL32(00000000), ref: 004046B1
        • GlobalUnWire.KERNEL32(?), ref: 004046F4
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Globallstrlen$Wire
        • String ID:
        • API String ID: 14301862-0
        • Opcode ID: bc37820d1308cb7478938abc4e7ce2c3c5c61657eea1e2575736c8560612193a
        • Instruction ID: e2f41dee86db6ff6f0e66bd55a3717fa8f7ab9827121c6a419eb02fac622f125
        • Opcode Fuzzy Hash: bc37820d1308cb7478938abc4e7ce2c3c5c61657eea1e2575736c8560612193a
        • Instruction Fuzzy Hash: 0311B2B65402203BD211362A9C85D6F625C9BD3719F01043FFB45B72D2EABE980045AE
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004068BA Relevance: 6.1, APIs: 4, Instructions: 73threadprocessCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 004068F0
        • Thread32First.KERNEL32(00000000,?), ref: 00406908
        • Thread32Next.KERNEL32(00000000,0000001C), ref: 00406920
        • CloseHandle.KERNEL32(00000000), ref: 0040692B
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
        • String ID:
        • API String ID: 3643885135-0
        • Opcode ID: fd160fed7120446fef93484a04374cb9177debfeb7a05839fdcd0187cb78c681
        • Instruction ID: e30827b7fb67f121ea048d8da65afec253a213b0f8c291223d2059843864a94e
        • Opcode Fuzzy Hash: fd160fed7120446fef93484a04374cb9177debfeb7a05839fdcd0187cb78c681
        • Instruction Fuzzy Hash: 21218971900109EFDF21AF94DD44AEF7BBAEF48300F114136FA06B2560D3358A65DBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418BAC Relevance: 6.1, APIs: 4, Instructions: 73threadprocessCOMMON
        Download Yara Rule
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00418BE2
        • Thread32First.KERNEL32(00000000,?), ref: 00418BFA
        • Thread32Next.KERNEL32(00000000,0000001C), ref: 00418C12
        • CloseHandle.KERNEL32(00000000), ref: 00418C1D
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
        • String ID:
        • API String ID: 3643885135-0
        • Opcode ID: 2977f066c306d15fc5896366f2c49c1e780379829112e4c13ba13b7a7d366056
        • Instruction ID: fb77ca84a45e20019cb4d64dedc7ec6d10ccb14fb9b85d68ee75811d917bd1db
        • Opcode Fuzzy Hash: 2977f066c306d15fc5896366f2c49c1e780379829112e4c13ba13b7a7d366056
        • Instruction Fuzzy Hash: 5F213732901108EBDF219F94DD85DEF7BBAEF48345F10413AFA01A2160EB358995DBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406416 Relevance: 6.1, APIs: 4, Instructions: 54injectionCOMMON
        Download Yara Rule
        APIs
        • VirtualQueryEx.KERNEL32(0040F2C0,?,?,0000001C,00000000,?,00000000), ref: 0040642F
        • VirtualProtectEx.KERNEL32(0040F2C0,?,00000002,00000040,00000000), ref: 00406457
        • WriteProcessMemory.KERNEL32(0040F2C0,?,00406AF6,00000002,00000000), ref: 0040646A
        • VirtualProtectEx.KERNEL32(0040F2C0,?,00000002,00000000,00000000), ref: 0040647E
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Virtual$Protect$MemoryProcessQueryWrite
        • String ID:
        • API String ID: 2789181485-0
        • Opcode ID: f925cb970619b4c74fe50f7605bb76f0c0f144fbe2bf7bb186da54ce2f8f1c36
        • Instruction ID: 5051be292c94b44d59fcd5fd870c262f33049cb4a889e339d068b83cd3ccd0aa
        • Opcode Fuzzy Hash: f925cb970619b4c74fe50f7605bb76f0c0f144fbe2bf7bb186da54ce2f8f1c36
        • Instruction Fuzzy Hash: BB011B3250010ABFDB218FD59D88DEF7BBDEF09650B054036BE05B1191D674D9149BA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00418708 Relevance: 6.1, APIs: 4, Instructions: 54injectionCOMMON
        Download Yara Rule
        APIs
        • VirtualQueryEx.KERNEL32(0040F2C0,?,?,0000001C,00000000,?,00000000), ref: 00418721
        • VirtualProtectEx.KERNEL32(0040F2C0,?,00000002,00000040,00000000), ref: 00418749
        • WriteProcessMemory.KERNEL32(0040F2C0,?,00418DE8,00000002,00000000), ref: 0041875C
        • VirtualProtectEx.KERNEL32(0040F2C0,?,00000002,00000000,00000000), ref: 00418770
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Virtual$Protect$MemoryProcessQueryWrite
        • String ID:
        • API String ID: 2789181485-0
        • Opcode ID: f925cb970619b4c74fe50f7605bb76f0c0f144fbe2bf7bb186da54ce2f8f1c36
        • Instruction ID: 4d8d074034ff9247629f0a6f3120d64277f7653d465248206bf4dcbb38252027
        • Opcode Fuzzy Hash: f925cb970619b4c74fe50f7605bb76f0c0f144fbe2bf7bb186da54ce2f8f1c36
        • Instruction Fuzzy Hash: 65012932500209BBDF218F919D88EEF7B7DEF09650B14803AFA11B1194DB74D954EBA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00417614 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetProcAddress.KERNEL32(?), ref: 00417739
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressProc
        • String ID: `)~
        • API String ID: 190572456-1148047842
        • Opcode ID: 2348ada6d270879d742cef44330047828efdd62029476d59ef74b7782e9a04df
        • Instruction ID: 53fd33ca29e9c8991cb9f524f695b8150cc84dafa28d094ad65a8a75b34d16eb
        • Opcode Fuzzy Hash: 2348ada6d270879d742cef44330047828efdd62029476d59ef74b7782e9a04df
        • Instruction Fuzzy Hash: 3C310A31518601DFCF219F18DD80AAA37B1A716331F218873E815EB6A0C739ACD99B5E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405322 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103libraryloaderCOMMON
        Download Yara Rule
        APIs
        • GetProcAddress.KERNEL32(?), ref: 00405447
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: AddressProc
        • String ID: `)~
        • API String ID: 190572456-1148047842
        • Opcode ID: 2348ada6d270879d742cef44330047828efdd62029476d59ef74b7782e9a04df
        • Instruction ID: 6d4b176cee0f21564a14f14bca88255e443d7dc1466ebb7fcc280ff96bb8c85c
        • Opcode Fuzzy Hash: 2348ada6d270879d742cef44330047828efdd62029476d59ef74b7782e9a04df
        • Instruction Fuzzy Hash: E8312C31914A00CBDF21AB14D94076B33A0E715361F258873EC15FBAA0C3B9AC959F5E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004098D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25timeCOMMON
        Download Yara Rule
        APIs
        • GetProcessTimes.KERNEL32(?,?,?,?,004041C6,?,?,?,?,004041C6,00000002,?), ref: 004098ED
        • wnsprintfW.SHLWAPI ref: 0040990F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ProcessTimeswnsprintf
        • String ID: `)~
        • API String ID: 1788875032-1148047842
        • Opcode ID: 8f2ed84cc6b82fc2c3e658559c8390361cf84fa3f97f0d71e8244d3463bf00a7
        • Instruction ID: 2d8d682ef4756c5c789d9655938fb8f95ec453831d538bb86ca47ab7732ca8d5
        • Opcode Fuzzy Hash: 8f2ed84cc6b82fc2c3e658559c8390361cf84fa3f97f0d71e8244d3463bf00a7
        • Instruction Fuzzy Hash: 1AF0927640010CFBCF02DFD4DD45CDE7B79BB08204F004161FA01A1061D672A6689BA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25timeCOMMON
        Download Yara Rule
        APIs
        • GetProcessTimes.KERNEL32(?,?,?,?,004164B8,?,?,?,?,004164B8,00000002,?), ref: 0041BBDF
        • wnsprintfW.SHLWAPI ref: 0041BC01
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: ProcessTimeswnsprintf
        • String ID: `)~
        • API String ID: 1788875032-1148047842
        • Opcode ID: 8f2ed84cc6b82fc2c3e658559c8390361cf84fa3f97f0d71e8244d3463bf00a7
        • Instruction ID: 2d8d682ef4756c5c789d9655938fb8f95ec453831d538bb86ca47ab7732ca8d5
        • Opcode Fuzzy Hash: 8f2ed84cc6b82fc2c3e658559c8390361cf84fa3f97f0d71e8244d3463bf00a7
        • Instruction Fuzzy Hash: 1AF0927640010CFBCF02DFD4DD45CDE7B79BB08204F004161FA01A1061D672A6689BA4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004156D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041BAF2: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,0041BCB7,?), ref: 0041BB13
        • PathCombineW.SHLWAPI(?,007E2960,?), ref: 004156FA
        • PathCombineW.SHLWAPI(0040F5A8,0040F5A8,?), ref: 00415709
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$Combine$FolderSpecial
        • String ID: `)~
        • API String ID: 2638848501-1148047842
        • Opcode ID: 5bc3fa129fa57fb3a6267bae138e154b9c7db59eb533bf6a5c378e6d1c6bed4a
        • Instruction ID: 3307c3b708afc814e5e608ebbcc8190b1562643d6e205062d94bd6ef74d1c4bf
        • Opcode Fuzzy Hash: 5bc3fa129fa57fb3a6267bae138e154b9c7db59eb533bf6a5c378e6d1c6bed4a
        • Instruction Fuzzy Hash: 61E09231501228AFDB209B64DE4DDC7376CEF00306F000071F404A6071DB789958CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004033E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 00409800: SHGetSpecialFolderPathW.SHELL32(00000000,?,-00000025,00000001,004099C5,?), ref: 00409821
        • PathCombineW.SHLWAPI(?,007E2960,?), ref: 00403408
        • PathCombineW.SHLWAPI(0040F5A8,0040F5A8,?), ref: 00403417
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Path$Combine$FolderSpecial
        • String ID: `)~
        • API String ID: 2638848501-1148047842
        • Opcode ID: 66ea78071f0f3097776f10462ba803725c7487f871236955ce49ff11c5b743a7
        • Instruction ID: 5c675e1d9fed30ca06d18c40b328097804fd2ccebb16c2cf4054b33c3e80a972
        • Opcode Fuzzy Hash: 66ea78071f0f3097776f10462ba803725c7487f871236955ce49ff11c5b743a7
        • Instruction Fuzzy Hash: 5AE09232501228AFDB20AB64DE0DEC7376CEF01306F000071F404A6172DB789918CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040991A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • GetTempPathW.KERNEL32(00000104,?), ref: 0040992F
        • GetTempFileNameW.KERNEL32(?,004030F8,00000000,7@), ref: 00409946
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.3243161573.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.3243161573.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_nwVe0gplCc.jbxd
        Similarity
        • API ID: Temp$FileNamePath
        • String ID: 7@
        • API String ID: 3285503233-48919864
        • Opcode ID: 6314b982fe8dc7b1bdbeb6a1bb4bb4d3c172769e26dd3e0884dbb9d96698cab5
        • Instruction ID: e2d4739a0a40800148c54bb5d1ecf0089ffb7fd3268b0a5a830a9fc4773b13d2
        • Opcode Fuzzy Hash: 6314b982fe8dc7b1bdbeb6a1bb4bb4d3c172769e26dd3e0884dbb9d96698cab5
        • Instruction Fuzzy Hash: 74D05E3054030EBBDB20AB90DD0EFD63B6CAB00B09F0001B07754A10E2DAB0A6898B94
        Uniqueness

        Uniqueness Score: -1.00%